Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bef54e52245af7b…

MALICIOUS

PDF

85.2 KB Created: 2021-04-30 12:42:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: d2fb8cdf0df0ac0cc2dff75764792fa5 SHA-1: 77db8afa7ca49a4a9f4838c0c328cf907bf5bace SHA-256: 6bef54e52245af7b7c3869cf00c19c22c24c6f7ddb492b05e67a1a92980ef0d2
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to disposable domains or are used in a link farm configuration, suggesting a phishing or malicious redirection attempt. One of the extracted URLs, 'https://jottigo.ru/strik?utm_term=gigi+liscio+and+frankie+buglione+married', is flagged with an unknown reputation and is part of a heuristic firing indicating a potential malicious link farm. The ClamAV detection and ML classifier further support the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/strik?utm_term=gigi+liscio+and+frankie+buglione+married PDF link annotation
    • https://cdn.sqhk.co/tuxarulenogu/erol0hg/vudolaturapijepusun.pdfIn PDF document text
    • https://cdn.sqhk.co/pujixefan/id4ibhc/badenejapomagi.pdfIn PDF document text
    • https://cdn.sqhk.co/kulobibab/e3heIsN/56950028321.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/dugibabafod/when_did_schools_close_for_covid.pdfIn PDF document text
    • https://a179b4bb-f9e1-4b0b-8685-f881d2afde68.filesusr.com/ugd/0fdb6d_bca3919e552e481f8a33ccc6da9bb2b2.pdf?index=trueIn PDF document text
    • https://e5447efa-8854-4d04-834e-f0bbd7438c8b.filesusr.com/ugd/ac612b_98fdddca4a08442a80e860da5f6b9fa5.pdf?index=trueIn PDF document text
    • http://bekusisit.atwebpages.com/77934595303.pdfIn PDF document text
    • http://tikomiwewo.atwebpages.com/boxewopanaj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2101df4d-2e3a-4ebc-8cdd-73b93e277f62/samsung_scx-3405fw_driver_download_windows_10.pdfIn PDF document text
    • https://c5e26362-acc3-4c40-9db4-ce0cbd355080.filesusr.com/ugd/681527_38f115acea8a4cbe8c812b394c120f6f.pdf?index=trueIn PDF document text
    • https://6d428a25-da86-44fa-8f13-5b0f09742281.filesusr.com/ugd/3649d2_ee2e222aa1c2409eb4bfe174cc875876.pdf?index=trueIn PDF document text
    • https://8d59741e-369e-44be-b01e-8fbcb09d2d01.filesusr.com/ugd/7cefa9_d7a837eda73545b484cdc4eb6f4fb830.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/degisapemifa/21606795157.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f885104-db78-4cb9-9f4e-f49bf8b1a05d/gnostic_gospel_of_judas.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4cd1d6f3-eef3-41b2-8362-f171a931d97a/25035108244.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f7a2910f-67cc-433b-980f-6cf488227bc2/gokoz.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010d85.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D85 5576 bytes
SHA-256: f30b1c98c7d917a8e51713899953aecd4994fe9ed5e95e3de70609b6f8835f33
font_01_sfnt_off00012075.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12075 11432 bytes
SHA-256: de7eb2b065e3917bbbebed38256f09d71b6b56db650cebbd31ea5aba29fee824

Open this report in the interactive analyzer, or submit your own file for analysis.