Malicious PDF — malware analysis report

Static analysis result for SHA-256 76f8d31b821b2810…

MALICIOUS

PDF

80.5 KB Created: 2021-05-23 04:00:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10
MD5: cca78dd40b6e5f53551204035247c5bc SHA-1: 54de478fdc9142369a3251da0dfbf19b71483322 SHA-256: 76f8d31b821b28105650fdc294c4b0330d7ec44f9b868baefa2027feb1e6d663
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains a large number of external links, many hosted on disposable domains, indicating a link farm or SEO manipulation tactic. The ClamAV detection and ML classifier strongly suggest malicious intent, likely phishing or hosting malicious content. The embedded URL 'https://kuzutuzo.ru/strik?utm_term=clicker+heroes+hack+code+2020' further supports the lure of potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=clicker+heroes+hack+code+2020 PDF link annotation
    • https://kutumamam.weebly.com/uploads/1/3/4/8/134893394/eb7df63.pdfIn PDF document text
    • https://tabodixab.weebly.com/uploads/1/3/4/5/134585887/gebolom.pdfIn PDF document text
    • https://negofajosodin.weebly.com/uploads/1/3/5/3/135314147/migoditerinada_besugun.pdfIn PDF document text
    • https://pikulevixabokof.weebly.com/uploads/1/3/1/6/131606248/4ebc8aedf.pdfIn PDF document text
    • https://tolibopajam.weebly.com/uploads/1/3/4/4/134487495/a6e8f5592adb.pdfIn PDF document text
    • https://jejojoroliwe.weebly.com/uploads/1/3/4/3/134310913/loposuwabar-zuditam-gotawik.pdfIn PDF document text
    • https://puraxatelodo.weebly.com/uploads/1/3/7/5/137518437/5553210c5c6a0e.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/567f63f7-8978-4d4a-90d2-f412be84a9a9/mirulekijafovodivapisawox.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/491efe06-1777-4074-abb4-6f1a9ea347b9/divatuxa.pdfIn PDF document text
    • https://s3.amazonaws.com/kokesatodixon/ms_sql_server_2014_32_bit.pdfIn PDF document text
    • https://s3.amazonaws.com/sigobija/woparetajozuradaxetu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d6fd85e7-dd56-44a2-a762-5d9ae48af8ba/what_are_the_greek_god_pan_powers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1a74d899-f748-4a3b-85af-45dcc6d4a4f4/16006346366.pdfIn PDF document text
    • https://s3.amazonaws.com/woxorojero/42790432739.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/af8af870-2195-4a38-b5bb-982ce99ad10a/how_to_be_a_member_of_planet_fitness.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eddb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDDB 3112 bytes
SHA-256: e1ffc0b40eb5d8ce83ebb9dddb069cbadc99f13b0e9241b0332c77e207f9ef87
font_01_sfnt_off0000f8e7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF8E7 5268 bytes
SHA-256: 6eacd3c4de0a9f502122768139d50ab4b272272497e39e13b1fb120b48ea43c3
font_02_sfnt_off00010ac6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10AC6 12588 bytes
SHA-256: 3297aeb5abbe5cb1cb0d1391707f9d4bd37bb41fe6d66fca6dc8dbcb4512fa9a