Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a1b05f58c83f26d…

MALICIOUS

PDF

151.6 KB Created: 2021-02-18 02:46:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: 7cc46c3be86e153880b3c8125bb104e0 SHA-1: cca08421742ed25d139aab01ad69f81cf937632c SHA-256: 7a1b05f58c83f26d4b94c309f1b70adc4262daf24594a1d8b5076807e1e91156
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, many of which are hosted on disposable domains and utilize UTM parameters, suggesting a link farm or phishing campaign. The heuristic 'SE_SECRET_RECOVERY_LURE' indicates the document explicitly requests sensitive information like recovery phrases or private keys. While no scripts were directly extracted, the presence of embedded URLs and the nature of the heuristics strongly suggest a phishing attack designed to harvest credentials or sensitive data.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9550

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/strik?utm_term=english+vocabulary+test+for+beginners+pdf+with+answers PDF link annotation
    • https://mejebepagomuda.weebly.com/uploads/1/3/4/4/134494428/5491759.pdfIn PDF document text
    • http://lotto-investclub.com/653255398619qdgf.pdfIn PDF document text
    • http://alifan.store/585444316296kruq.pdfIn PDF document text
    • https://cdn.sqhk.co/najafizox/6hh0Ehc/43464089116.pdfIn PDF document text
    • https://cdn.sqhk.co/piwizogir/gel0hfA/rush_hour_4k_blu_ray.pdfIn PDF document text
    • http://easylearning.space/nba_g_league_scheduleaof9o.pdfIn PDF document text
    • http://usmileofficial.site/aha_guidelines_cabg_2015guqf1.pdfIn PDF document text
    • https://xuvosaxefon.weebly.com/uploads/1/3/4/6/134605895/616b614d4ea1.pdfIn PDF document text
    • http://national-verifyteam.com/110630673167400m.pdfIn PDF document text
    • http://cadenalia.com/kitchen_cabinets_plansrvdf0.pdfIn PDF document text
    • https://betetaguzom.weebly.com/uploads/1/3/2/3/132303315/dadalulak-fokasajujex-xenidis-sasore.pdfIn PDF document text
    • http://prequester.online/33713356478bbmzz.pdfIn PDF document text
    • https://cdn.sqhk.co/modonasuje/p5if2Qf/65451116284.pdfIn PDF document text
    • https://jaluburevajag.weebly.com/uploads/1/3/0/8/130874017/bewuxojitewofeni.pdfIn PDF document text
    • https://xidokuwu.weebly.com/uploads/1/3/1/4/131453793/4345824.pdfIn PDF document text
    • https://cdn.sqhk.co/wokinuge/3eihgdK/55576019325.pdfIn PDF document text
    • https://mizemajawoxulu.weebly.com/uploads/1/3/1/4/131437858/ludugiwax.pdfIn PDF document text
    • https://bewogataxatux.weebly.com/uploads/1/3/2/6/132695278/jepovaw-sezabaxo-nenanigilibem.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.orgIn PDF document text

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011c1a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11C1A 7096 bytes
SHA-256: a65ef0ff4b7da8ea3cebbd938d522857887aee8050a0b72728b2022c99d718bc
font_01_sfnt_off00012df5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12DF5 21788 bytes
SHA-256: e49d154b53a74378f148c56321be85cf72ddbd1eb11e8b6111a4bd4704b45d5f
font_02_sfnt_off00017244.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17244 5648 bytes
SHA-256: eeb45e3a362ad831670f3a183fbe37577d7b2d4363e100476c7c8374ccac272a
font_03_sfnt_off0001853f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1853F 2864 bytes
SHA-256: 0f5c0efe4ccad7a3042cb2f954a21695c88ac0a69202bea05a82717ed60afa37
font_04_sfnt_off00019006.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19006 30096 bytes
SHA-256: 4d73da2e88e580a7a50a454b796eb91b8e282a7ca1d68ae9a6181ee29392cb09
font_05_sfnt_off0001d0cf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D0CF 17736 bytes
SHA-256: 4d54e434977609a7cd8f7d572c49bca7ec2df13ec6234f04c11c1a05423864b2
font_06_sfnt_off000204dc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x204DC 28300 bytes
SHA-256: 783cdb2ee599bc6ff58b731b71924d2934b3486fe9436b3a4fdb488848295c1e
font_07_sfnt_off00023200.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23200 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3
font_08_sfnt_off00023fff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23FFF 3688 bytes
SHA-256: 15b51d4729f381b9b95b6143cd9d5d650d48df27e4aa88ea95f989aa7a7e4927