Malicious PDF — malware analysis report

Static analysis result for SHA-256 70721ad8737e997d…

MALICIOUS

PDF

85.8 KB Created: 2021-05-09 18:03:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 8dcb252bd4d0b9528634688aeee0603c SHA-1: f730f4a3ae1b867b237d09a3fae7601aef93dcaa SHA-256: 70721ad8737e997d181c4db2411b515c61cd43be679534d9a516eaa3694323ad
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to disposable hosting and are likely part of a link farm. The ML classifier and ClamAV both flagged this PDF as malicious, with ClamAV identifying it as a phishing trojan. The embedded content, though heavily obfuscated, suggests an attempt to redirect users to malicious sites for further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=lancer+systems+-+ar-15%252Fm16+l5+magazine+coupler PDF link annotation
    • http://scarcebook.com/napa_battery_charger_manual4hpo9.pdfIn PDF document text
    • http://xizuwekimexuwag.22web.org/82088742885.pdfIn PDF document text
    • http://tortomsk.ru/epilepsy_in_pregnancy_guidelineshdpi4.pdfIn PDF document text
    • http://radewilagimalap.iblogger.org/ninusikajakamosowijamix.pdfIn PDF document text
    • http://gloslides.com/did_you_feel_what_i_feels4t16.pdfIn PDF document text
    • http://getplafond.xyz/xatuxodoxisukirapamz185r.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/52613e56-9347-494b-b73d-0172aa0e0f6b/vozukatujutumi.pdfIn PDF document text
    • http://zexenodu.rf.gd/adding_polynomials_worksheets.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a695c56b-8527-47b2-83af-947f1fbd6ba1/dejovevabefake.pdfIn PDF document text
    • https://5a6df620-610b-4d6f-8f1b-71e936bb70bc.filesusr.com/ugd/1f5cef_d290f7d5425f443ca9b905690986a5df.pdf?index=trueIn PDF document text
    • http://meresig.epizy.com/fobumuzegufalaketamut.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/be8eb499-9d50-4d62-ae9a-10b35ce44466/honeywell_lynx_plus_l3000_programming_cheat_sheet.pdfIn PDF document text
    • https://5071cc05-3fa2-46b1-b944-d2523ca4b51d.filesusr.com/ugd/62e2c1_1152909d9eee4014bbf7bbc2d5299321.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/eca67381-7d78-478d-a9e7-1d8f57f66bca/gudosagarexamijakagovi.pdfIn PDF document text
    • https://f7e05ffc-afae-4d19-be15-7e9c659e5e5f.filesusr.com/ugd/72f62b_e8d2a5161e74479795c48cf38d101ab4.pdf?index=trueIn PDF document text
    • https://76bf09fe-c378-4d6f-baa9-beaf48595a8b.filesusr.com/ugd/61567a_e95def12cce44cf1ad73e3c2b3cddbbf.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/6d9e454d-3989-4327-9bbe-07148556c80d/george_foreman_grill_chicken_breast_recipes.pdfIn PDF document text
    • https://0df6220b-9630-4647-aab6-0d9db69b9d59.filesusr.com/ugd/8b97dd_8ae9b51200864bfebe7ddb026e21ff3e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/dcfab771-da37-4803-89c3-7443faf9bb3e/autocad_3d_drawings_for_practice.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/227c48b7-a218-4a86-b503-f5f379b2ecf6/ferasolabaxuwemega.pdfIn PDF document text
    • http://pasigajixivete.epizy.com/aristteles._tica__nicmaco.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bc4ecaf0-c04c-44a7-a45c-9de8af1231d9/what_is_the_easiest_payday_loan_to_get_online.pdfIn PDF document text
    • https://9a1eab6f-da2d-4a41-99bb-18a59f11b130.filesusr.com/ugd/c2b690_4237ec59d12546b58555046ef0495f0d.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000110f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x110F9 5744 bytes
SHA-256: 87b84c94a2fac0339720ede4ee8338fad080acf82b5755c9e83855e11692ebb3
font_01_sfnt_off0001249e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1249E 11044 bytes
SHA-256: 892f8861daf483b7c41c80bf5039092259620b68016ed5bcd7ae4018a9a95cc4