Malicious PDF — malware analysis report

Static analysis result for SHA-256 74fec350bc93176c…

MALICIOUS

PDF

86.0 KB Created: 2021-03-12 15:36:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: c88384f3c52b0f695bb7b21c6c584137 SHA-1: a696f7994424362aa296e2c368d32ca2b0756128 SHA-256: 74fec350bc93176c079adf208f5356de7f2539459d53f97edf5d9bde9b3951a8
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to disposable hosting, suggesting a link farm designed to distribute malware or conduct phishing. The ClamAV detection and ML classifier strongly indicate malicious intent. The presence of embedded URLs and the overall structure point towards a spearphishing attachment used to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9950

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=grammar+for+middle+school+a+sentence-composing+approach PDF link annotation
    • http://xigotazuwal.iblogger.org/rental_agreement_template_residential.pdfIn PDF document text
    • https://gibitiwatu.weebly.com/uploads/1/3/0/7/130776060/d5c4427.pdfIn PDF document text
    • https://xisifogobodi.weebly.com/uploads/1/3/4/7/134735845/8981047.pdfIn PDF document text
    • https://xoverepidagagit.weebly.com/uploads/1/3/4/4/134469055/jalat.pdfIn PDF document text
    • http://maxonona.22web.org/mepozixemumuvofigeruw.pdfIn PDF document text
    • https://bewebisiseten.weebly.com/uploads/1/3/0/8/130874130/dukawovujokifozosek.pdfIn PDF document text
    • https://regasefes.weebly.com/uploads/1/3/1/8/131871592/7f0fbbb7765cb8.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://ad843f61-c544-48d7-8cfb-3c048b9edb46.filesusr.com/ugd/0dd9ed_c9418550b45940e788e138e5139728ac.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/sefipa/sorotitidepademi.pdfIn PDF document text
    • http://wubonaxe.epizy.com/camera_raw_installer_for_cs6_free.pdfIn PDF document text
    • https://s3.amazonaws.com/lezerawe/68280328218.pdfIn PDF document text
    • https://6cdb29d4-22ce-4aaf-9e51-562b59d50851.filesusr.com/ugd/1b20fb_709f695e3f0f4ca9b2f50772ea41b6a3.pdf?index=trueIn PDF document text
    • https://899154e9-876a-4ab4-94d5-c8ef2aed10f2.filesusr.com/ugd/dcf9ad_68670fb2180a40b3af8f4bbbbbabe2fe.pdf?index=trueIn PDF document text
    • https://201a0bc5-0eb3-4135-8969-828875a6b07d.filesusr.com/ugd/607883_884bf2fd91c8448abbd57289df73e1f0.pdf?index=trueIn PDF document text
    • https://c3373aeb-ed74-4f2d-b631-fa679e0a3f6f.filesusr.com/ugd/cbe7f7_d07019ee48324dc184b67a903a4844ac.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/ganubatebedoxez/cardiopatia_congenita_del_adulto.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0ec5bd9-fae5-42e8-bef3-ae82e83e9c21/sifofuwadiw.pdfIn PDF document text
    • https://s3.amazonaws.com/wutisigila/how_do_you_calculate_triangle_area.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/43f2f4a5-d163-42b4-bf89-e96f9516f03b/how_to_make_brother_printer_discoverable.pdfIn PDF document text
    • https://s3.amazonaws.com/remavuj/xipefodasizexil.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/abf1ef0c-9de5-46e7-a815-6e3146019615/the_lottery_movie_2018.pdfIn PDF document text
    • https://51fd5013-30c4-43d1-89ce-86564632a3b5.filesusr.com/ugd/9f06f8_863e366f56704f1faebd652687760a4f.pdf?index=trueIn PDF document text
    • http://kabitivawenavox.rf.gd/porque_es_importante_desarrollar_la_inteligencia_emocional_en_los_nios.pdfIn PDF document text
    • https://67d298e0-85f4-4ad4-bf36-e1ac857e42fc.filesusr.com/ugd/b6bf5b_09c0f6178553467d9d00c967de26696e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4d1e064-e600-414b-9b7f-19cd8dc01d39/acer_aspire_v5_no_display.pdfIn PDF document text
    • https://994180ce-385f-4272-9833-4a204a825e0f.filesusr.com/ugd/ec0c41_67c18ba999134b2b82927f52f77b7591.pdf?index=trueIn PDF document text
    • http://lopetemiwi.rf.gd/91559098609.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa2f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA2F 5632 bytes
SHA-256: b8f977576ab376f7dc0c48af0df9995dc756d2c2632e732c9fabd2cdf932f3ec
font_01_sfnt_off00010d2e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D2E 7736 bytes
SHA-256: 4bd1700cbbdad356991c512657d71ea4feff8486c446d209979672e6dce97e90
font_02_sfnt_off0001228c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1228C 10692 bytes
SHA-256: 114bb4788fc3d96d71ed37c0fb39c870bc356d751a55a04967d7b69fb99c6313