Malicious PDF — malware analysis report

Static analysis result for SHA-256 738801e7acb99336…

MALICIOUS

PDF

73.7 KB Created: 2021-06-08 19:41:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 0237222eaa6f2121b327ab7bd823f7e7 SHA-1: 0589bdfd6488f1af79e09848576b4de2c3e6a6dd SHA-256: 738801e7acb993365f69909e25cb5012998f318d5ad7a754a04b934cf0f50b92
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are hosted on disposable domains or link farms, suggesting a phishing or malware distribution scheme. The presence of a ML classifier flagging it as malicious and ClamAV detecting it as 'Pdf.Phishing.Trojan' further supports this. The document body, though heavily obfuscated, contains text related to watching movies online, which is likely a lure to encourage users to click the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/pbw?utm_term=watch+hereditary+online+free PDF link annotation
    • https://vokafevevuw.weebly.com/uploads/1/3/4/3/134320681/6430356.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383797/normal_601935f9c8fe2.pdfIn PDF document text
    • https://wobozosexeje.weebly.com/uploads/1/3/0/8/130814788/xinoxevijugilozi.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368751/normal_604b01e37d310.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481291/normal_604aa1681691a.pdfIn PDF document text
    • https://bazafegaxu.weebly.com/uploads/1/3/1/3/131383427/kelogajetife.pdfIn PDF document text
    • https://biweworu.weebly.com/uploads/1/3/4/5/134525234/wuwaruwubeg-rafediju.pdfIn PDF document text
    • https://pupaxutakigi.weebly.com/uploads/1/3/4/5/134579126/zezet_zibixofumito.pdfIn PDF document text
    • https://bojibelatos.weebly.com/uploads/1/3/4/0/134040608/2300502.pdfIn PDF document text
    • https://wunepilupizuxo.weebly.com/uploads/1/3/1/8/131857535/sisep.pdfIn PDF document text
    • https://tunozuranoba.weebly.com/uploads/1/3/5/3/135316660/nezuxaxosova.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414688/normal_606a3f7611349.pdfIn PDF document text
    • https://velonifiwivuli.weebly.com/uploads/1/3/0/7/130739758/6793775a1775e5c.pdfIn PDF document text
    • https://gepufefodu.weebly.com/uploads/1/3/4/0/134013389/2b8d7f7598f2000.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://pezeliv.pbworks.com/f/wagunibi.pdfIn PDF document text
    • http://fokopaviwu.pbworks.com/w/file/fetch/144568053/13684420458.pdfIn PDF document text
    • http://gosirata.pbworks.com/w/file/fetch/144445605/ligejabivojudopebudobaf.pdfIn PDF document text
    • http://nijominem.pbworks.com/w/file/fetch/144607236/archie_comics_free_download.pdfIn PDF document text
    • http://vadibun.pbworks.com/w/file/fetch/144439035/vixikufemejerabude.pdfIn PDF document text
    • http://molosafokaji.pbworks.com/w/file/fetch/144549882/starlink_satellite_internet_service_coverage_map.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2dc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE2DC 5048 bytes
SHA-256: b4f25ea3a6babb23b596b3cae105eff0c7374f167e37b8b05ffa3901cffea476
font_01_sfnt_off0000f419.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF419 10996 bytes
SHA-256: 05df68a86cf55791689cc88b944d811e1213b65a7a03fb9636e749d1f83b6ffb