Malicious PDF — malware analysis report

Static analysis result for SHA-256 756fc3823a1f5288…

MALICIOUS

PDF

78.8 KB Created: 2021-03-22 10:36:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: d752c3d0c92e252c5e503a7a7a691189 SHA-1: 720c32e9233413473bc69efe5e1b62f41cd20d7c SHA-256: 756fc3823a1f5288100410b23a34cd31be3864bd8f923c65accd4719d0dadd49
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=nccn+guidelines+renal+cell+carcinoma+2017 PDF link annotation
    • https://riviruzo.weebly.com/uploads/1/3/0/7/130739493/3280686.pdfIn PDF document text
    • https://nuribivavis.weebly.com/uploads/1/3/4/6/134625990/jogexejezege-xolejeg-zuwogeverajakod-vevuxadupo.pdfIn PDF document text
    • http://pabulaluxe.iblogger.org/a_river_runs_through_it_title_meaning.pdfIn PDF document text
    • https://naxazutip.weebly.com/uploads/1/3/4/6/134610322/xesagomiwax.pdfIn PDF document text
    • http://pifumufupes.iblogger.org/los_juegos_del_hambre_2_en_llamas_pelicula_completa_espaol_latino.pdfIn PDF document text
    • https://fixaporaxaju.weebly.com/uploads/1/3/1/4/131413905/1bdbda9.pdfIn PDF document text
    • https://nimaxosonoj.weebly.com/uploads/1/3/4/8/134897368/5692029.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://fa5d8e44-005d-4c05-925d-ba60cb7f5023.filesusr.com/ugd/121e37_fb88368bc3964f1ba4067b268e128224.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gazivemon/interchange_fourth_edition_level_3_workbook_answers.pdfIn PDF document text
    • https://3c3b6f52-20a2-448a-be11-eec5930c502f.filesusr.com/ugd/0ca786_5d6db1abf9a348e19534d20ea646e5a2.pdf?index=trueIn PDF document text
    • https://fb7bf4c5-056f-4058-a7d1-073478569b53.filesusr.com/ugd/d90490_c0f898be988746048f6ba89b8ccfd64f.pdf?index=trueIn PDF document text
    • https://e0eedba4-cf99-4c42-97f5-d3f9ae5832dd.filesusr.com/ugd/e36ea7_42a6948250144f63b366acc8afc07ce2.pdf?index=trueIn PDF document text
    • http://ximawefab.epizy.com/sbi_anywhere_app_for_android.pdfIn PDF document text
    • https://e5b7f393-9b83-42c5-a877-5b85c0c772c8.filesusr.com/ugd/77b42d_7464d7b2f06a4b4a87b65cb6160596ab.pdf?index=trueIn PDF document text
    • https://16012499-1299-48b0-8cdd-5f23a7749958.filesusr.com/ugd/fafc38_b5854c8a755e4bd0bea3eeae3f1fa2a0.pdf?index=trueIn PDF document text
    • https://584dc5e1-4449-4bca-b3d9-d0e1fa08a972.filesusr.com/ugd/185caa_d28dc715d0a142b69aac73f71073dec7.pdf?index=trueIn PDF document text
    • https://bb491b24-4c81-4ccc-8daa-bf1baeb171c2.filesusr.com/ugd/93c935_005823243a9b4fecabbcb37113bb734a.pdf?index=trueIn PDF document text
    • https://711920be-b761-4f0e-a604-762b26663b16.filesusr.com/ugd/ffcbea_81bdabf9f46f4f4cb31abc5031cabc28.pdf?index=trueIn PDF document text
    • https://e0ff2378-281a-4ea3-95ae-419c526fdc99.filesusr.com/ugd/0baf77_34c9a012621f4dfd8aefb43a4628f0f8.pdf?index=trueIn PDF document text
    • https://71a0d42b-91d5-4e94-9338-ff69ca8a624b.filesusr.com/ugd/e5d5e5_5b05472f78d643c8a996cfa0ff3d12f2.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/mogipegi/sefib.pdfIn PDF document text
    • https://b5f169ef-6bcf-4d19-a24b-32bdc9dd7a5f.filesusr.com/ugd/2e79a6_44e23565a9bd4f76962df9eda37811ae.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f667.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF667 5636 bytes
SHA-256: b8620af821c71d590333afd641288bc61ae4818510928ac032932dcc5a6f434b
font_01_sfnt_off0001098d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1098D 10600 bytes
SHA-256: eadc151aabb4911f9d345ebbcc072c40837515b725f66bf8361081e9bc3eeb7d