Malicious PDF — malware analysis report

Static analysis result for SHA-256 761e8dcf4642c1e6…

MALICIOUS

PDF

79.5 KB Created: 2021-03-29 02:13:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: a15d2a76149e1ac662e4b9a1308cfc19 SHA-1: e9e6680ff337760ed6829f69a40627553dadb3d2 SHA-256: 761e8dcf4642c1e652ad937ee1ab8e6a0fda628c1459b0e1140e3651b7020553
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, with at least one pointing to a suspicious domain ('baarspo.ru') and another to a link farm ('cdn.sqhk.co'). Heuristics indicate it's a link farm on disposable hosting, and a machine learning model flagged it as malicious. ClamAV also detected it as Pdf.Phishing.Trojan. The document body, though heavily obfuscated, suggests a lure related to 'Ap us history quiz answers', aligning with phishing or credential harvesting tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/123?utm_term=ap+us+history+quiz+answers PDF link annotation
    • https://cdn.sqhk.co/mokevesin/EdKCRhf/vozogapew.pdfIn PDF document text
    • https://cdn.sqhk.co/solalokazili/hhgdyhf/small_cross_stitch_patterns_for_beginners.pdfIn PDF document text
    • https://cdn.sqhk.co/niwuruba/IjbN7fj/break_bricks_with_ball_game_online.pdfIn PDF document text
    • https://cdn.sqhk.co/bopelara/haAdIji/chief_financial_officer_jobs_houston_tx.pdfIn PDF document text
    • http://lesantyqas.online/the_westing_game_book_in_spanish46sa7.pdfIn PDF document text
    • http://antinomi.design/def_the_term_communist_manifestorvni0.pdfIn PDF document text
    • http://forexgeeks.net/montesquieu_spirit_of_the_lawstd71b.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/lorerexeg/most_accurate_free_online_mbti_test.pdfIn PDF document text
    • https://770603ce-cae8-48b7-b4e8-6e15b9dac1cd.filesusr.com/ugd/e975af_30e8efa88d134eea994c70758807c4e9.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/xukanomarexumu/murepowoka.pdfIn PDF document text
    • https://7be326e9-a1fd-4761-a84c-83c904220737.filesusr.com/ugd/37e945_d9eabd9510d3422f8b645e68ba078331.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/c233d40c-75c1-4502-8a48-2dd87f8fa04d/21214265336.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6e012fe7-d074-4155-aec0-2a255071e888/fetuwevozisitesufidijen.pdfIn PDF document text
    • https://s3.amazonaws.com/muvazi/goodreads_apk_free.pdfIn PDF document text
    • https://4541bc1c-e35c-4de3-bb44-1f53c3e1a56d.filesusr.com/ugd/68f66e_503da9a486694c35a366f0638cc6a255.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/c7192166-ff65-4583-a86d-c6ba36d7a7db/nabuxu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d72f2ee2-e268-45fa-a3ee-336c51b0f2b4/oxford_dictionary_english_to_tamil_free_download.pdfIn PDF document text
    • https://s3.amazonaws.com/mupukesunobaga/joleletomuj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/44c8c547-c04e-455f-971c-cdf60a0fe3e0/what_bible_says_about_marriage.pdfIn PDF document text
    • https://s3.amazonaws.com/gavapozalilup/bizijegowawife.pdfIn PDF document text
    • https://88966db1-4a83-4446-b941-f65022a6235f.filesusr.com/ugd/928e0f_d14bdd4a885b47c49dbc7c5e67737da0.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF8C2 5232 bytes
SHA-256: 39f26902f4794f4fce5b456b19eb0a9ce8addb11a1f0cae5b161473053338e06
font_01_sfnt_off00010ab0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10AB0 11132 bytes
SHA-256: 675b1973e41a28f462205cca2841b4dcd85ef8d6dcc65f980b42dc9bda0247c7