Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c88c60717585c19…

MALICIOUS

PDF

76.6 KB Created: 2021-03-06 16:14:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-07
MD5: baa80af7176052a6811a6f5ec1b7033d SHA-1: 9f5f300b841cceb6d6ad815c0d4ed1432782c340 SHA-256: 6c88c60717585c19543d1eaaea2a232746c2c845d4713ed88846bc216146c6a6
284 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a significant number of embedded links, many pointing to disposable hosting and redirecting to malicious infrastructure, as indicated by the 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_LINK_FARM' heuristics. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests a common tactic to bypass gateway scanning by instructing the user to decrypt an archive, implying a payload delivery mechanism. While no scripts were directly extracted, the nature of the links and the ML classification strongly suggest malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=how+to+scan+multiple+pages+canon In PDF document text
    • https://wewabipela.weebly.com/uploads/1/3/1/3/131379923/2364910382.pdfIn PDF document text
    • http://raisinslabs.club/spoken_english_course_for_beginnerslsq9x.pdfIn PDF document text
    • http://copyrightprivacy.site/bexopetetoki316ie.pdfIn PDF document text
    • http://uspehdnyaaxyz.xyz/kupowodanokan22u.pdfIn PDF document text
    • https://ninuxegomozul.weebly.com/uploads/1/3/1/8/131871835/49333fb5d.pdfIn PDF document text
    • http://alternativeinfluencenetwork.net/860813182066urgk.pdfIn PDF document text
    • http://mazers.fun/what_does_48_000_grain_water_softener_meanlp339.pdfIn PDF document text
    • https://zewemoledomuro.weebly.com/uploads/1/3/4/7/134746436/vizisijunuxu_musinonaba_wazan_tasular.pdfIn PDF document text
    • https://kasasifu.weebly.com/uploads/1/3/4/6/134697732/8992448.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/e4a12baa-d0ca-4f14-aed1-9a5476a4de77/235116551.pdfIn PDF document text
    • https://s3.amazonaws.com/mokamoba/excel_finance_dashboard_templates.pdfIn PDF document text
    • https://451b78f8-089e-4d4d-bc4b-60abb621f7e6.filesusr.com/ugd/7ef0dc_b0cf6c83eed144099cdd4bf48356db21.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/fikuvine/are_inversion_tables_good_for_bulging_discs.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/915b1aa9-b40e-48de-9e0a-ffeaf767591b/fidanezi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ee91f829-2b52-492b-8de9-0ef79bfedd52/99156091005.pdfIn PDF document text
    • https://8d5bcf17-53f2-4f21-b585-7a27aef14131.filesusr.com/ugd/7baf93_4e9c36be304446beb8afd90247099985.pdf?index=trueIn PDF document text
    • https://1dab3517-3db0-43ff-9fd6-b65b51f65b60.filesusr.com/ugd/565485_5a97fd9eb36d4c1abb5230d2aa4ac28c.pdf?index=trueIn PDF document text
    • https://734e8db3-b9db-457c-abaa-08c06218e7ae.filesusr.com/ugd/f6bb82_ede8ab8438014fd49546c2a15f483e05.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/a59bb1ca-920c-4eac-abd2-973c9d380084/tom_clancy_books_in_order_written.pdfIn PDF document text
    • https://391e4f24-9fc9-4707-ac06-338edcd9f959.filesusr.com/ugd/110ef3_75a96db2ff34436a8f74087cc661d736.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/semuxemakaw/catholic_telugu_bible_app_free.pdfIn PDF document text
    • https://858e1da1-ad31-4e5b-aec0-89c59c6c71f6.filesusr.com/ugd/6240f8_7446fe065da2440fa1911933b5ac7bba.pdf?index=trueIn PDF document text
    • https://84d5b3ab-51dd-4312-87b7-51df18fb3b26.filesusr.com/ugd/9ea9b6_ccc20c1e7f994fedb42e64d23ab998b9.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/967ac90d-a717-43f9-ad43-d11987b45272/big_little_lies_season_2_australia_how_many_episodes.pdfIn PDF document text
    • https://s3.amazonaws.com/fewunadupop/bobol_wifi_zte_di_android.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed6c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED6C 5212 bytes
SHA-256: e88e4643ffc7ace9c174994503b25aaedba7d01f6e3952ab1039de5b49f9b076
font_01_sfnt_off0000ff2d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF2D 10908 bytes
SHA-256: 8d3830450a1127fbae50ab81041f31142b88b49746029cc3828384d81c9635ea