Malicious PDF — malware analysis report

Static analysis result for SHA-256 70145fe06dfc899f…

MALICIOUS

PDF

85.2 KB Created: 2021-04-02 10:58:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: dd40508a2a9f259371f54036de718843 SHA-1: 50e34564422bfb9bd10b9aff69a68af64c269052 SHA-256: 70145fe06dfc899f6e6411254234d7a8891224dc29e4231f7941918b218c4551
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/award?keyword=calentador+solar+manual+pdf PDF link annotation
    • https://cdn.sqhk.co/kerutadit/3xxYigC/assistant_construction_manager_jobs_houston.pdfIn PDF document text
    • https://teduzagegoxow.weebly.com/uploads/1/3/4/4/134400331/89d3703fd.pdfIn PDF document text
    • http://becloud.website/will_there_be_more_twilight_books_after_midnight_sund60cw.pdfIn PDF document text
    • http://moshon.space/broadsheet_wine_bars_melbournejosjt.pdfIn PDF document text
    • https://lemirupuzomive.weebly.com/uploads/1/3/2/8/132814022/6178996.pdfIn PDF document text
    • https://sezijaxafiv.weebly.com/uploads/1/3/1/6/131637080/karadadometuxu.pdfIn PDF document text
    • http://alex-travel.moscow/gta_5_money_cheat_pc_offlinesfr16.pdfIn PDF document text
    • http://aycotoro5.xyz/44886703299939od.pdfIn PDF document text
    • https://cdn.sqhk.co/goxobuve/7jdDLHv/57793456971.pdfIn PDF document text
    • https://cdn.sqhk.co/vumorumuvogi/hajcib6/55483130737.pdfIn PDF document text
    • https://babixugopanodip.weebly.com/uploads/1/3/5/3/135382952/dd07371492bcde0.pdfIn PDF document text
    • https://lebotisoko.weebly.com/uploads/1/3/4/5/134597635/tijopi-tosufabuw-sefuranifola.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/jepavilutabilel/ripemamolo.pdfIn PDF document text
    • https://6c9aa500-f8d9-42a6-b8a4-5b3c562bbfc3.filesusr.com/ugd/543886_aaa0d65ed5504f09aeede4eaf5e89adf.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/tawosutosuxi/portfolio_300-watt_landscape_lighting_transformer_manual.pdfIn PDF document text
    • https://bc881323-2374-4635-a2b7-f126f9929bd8.filesusr.com/ugd/546a35_46637e33c02b4eb7afb0127b7aa02db7.pdf?index=trueIn PDF document text
    • https://82cb18f6-4a40-4824-ac11-10070f72ce02.filesusr.com/ugd/5aec95_8334d46ca3d84559bf6ee88e53630f40.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/dazovosugev/kikemojesuniselurezefezut.pdfIn PDF document text
    • https://1c019786-7048-4615-837a-ae53f087c4ae.filesusr.com/ugd/8b4172_022f464d5c184cbead120c2da7d9bdbd.pdf?index=trueIn PDF document text
    • https://07d68bf2-0661-47e2-9ffe-eae068a071af.filesusr.com/ugd/fef806_78f3c053512b478f80ea280de789426d.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/rewepalazamiso/1571441202.pdfIn PDF document text
    • https://s3.amazonaws.com/remuv/47084095100.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000128b9.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x128B9 18288 bytes
SHA-256: dc2419fe7139121655b2888f4714ed09dfe6f7a4bf9c0dab5c10a8cba2360289
font_00_sfnt_off0000ef3a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF3A 5092 bytes
SHA-256: ad6991d9c3f3cefc15ffbb1bdb7f38ca5b09098dab1560957a92f8b79a4ed1e7
font_01_sfnt_off0001006e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1006E 12248 bytes
SHA-256: 6defc80146b33c3dcda4a477261c78780c7d39dfd147e67b6cc4027fb07b89bd