Malicious PDF — malware analysis report

Static analysis result for SHA-256 7cae481a171b8bfc…

MALICIOUS

PDF

93.3 KB Created: 2021-04-06 20:38:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7154a5a1aa713fded9e5edc12eae5914 SHA-1: b2b81ff6b6868a13149b7a50cd65cda35893b7d0 SHA-256: 7cae481a171b8bfcfff2ad26d6f74650934914623cc89f2485adb51a7b0becbd
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are hosted on dynamic DNS services and appear to be part of a link farm designed to host malicious content. The presence of a 'download button' lure and the ML classifier's high confidence score indicate a malicious intent, likely to trick users into downloading further malware. ClamAV also detected this file as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=wget+manual+install
    • https://cdn.sqhk.co/zoboxoba/jeR3Sjh/vampire_and_werewolf_prompts.pdf
    • https://vajizekof.weebly.com/uploads/1/3/4/5/134594154/e1b92.pdf
    • https://cdn.sqhk.co/jigavozef/djahdic/rfs_real_flight_simulator_pc_download.pdf
    • http://fikunigogijori.22web.org/animal_worksheet_islcollective.pdf
    • http://rekipeva.iblogger.org/sasuwetuvokeru.pdf
    • https://leximefowa.weebly.com/uploads/1/3/2/6/132680903/kebozagip-zusigo-vojafa-vobap.pdf
    • https://cdn.sqhk.co/zaweniwefi/ifijVnP/cat_condo_game_cats.pdf
    • https://cdn.sqhk.co/dinigivo/Yje5k7T/39931674758.pdf
    • https://cdn.sqhk.co/zoboxoba/jeR3Sjh/vam
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/468e89b9-cafb-4ee9-9e42-49bcf6f26ef7/43842081620.pdf
    • https://uploads.strikinglycdn.com/files/3bbb5426-24f5-4ebf-9aa7-7219b7413ce5/92115387853.pdf
    • https://f9cb7010-568c-45d0-b0a5-7bd630b60272.filesusr.com/ugd/b10ea2_b29d7abb7e6845198d7b44269f296374.pdf?index=true
    • https://023e3b0e-89aa-4e00-bd19-175c11a0a9c0.filesusr.com/ugd/5f4883_aec8163f62e9437ebf70aa156fad5481.pdf?index=true
    • http://gotazuvibidok.epizy.com/7934278997.pdf
    • https://5057b38b-f250-4925-a5fd-2dbc054a2c1f.filesusr.com/ugd/25ee37_7476d47b3fa94b588f9ecc10ae1e9d3a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6591bf9e-fb9d-4970-93bb-cc4ec07706a7/samsung_hmx-f90_manuale_italiano.pdf
    • https://393102e6-89af-4738-8cad-89662dba8dc5.filesusr.com/ugd/33a16d_8f2aa193fb7542d79dbd894a0314cffb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d6a8a21c-2651-41b0-a793-43d513bad1bb/drifters_season_2_episode_1.pdf
    • https://uploads.strikinglycdn.com/files/c787693d-97ee-4165-9806-1624de989c01/jibabewakusewazugevi.pdf
    • https://uploads.strikinglycdn.com/files/b0ce2298-45be-43c3-a6b8-682263e96398/best_inverter_generator_for_rv_air_conditioner.pdf
    • https://uploads.strikinglycdn.com/files/f67d422d-3ac9-4721-ab5d-bf8203e9123f/24781340069.pdf
    • https://uploads.strikinglycdn.com/files/492a84ba-74bc-4513-bb18-0da8b3208752/bimegekidevepazakaje.pdf
    • https://uploads.strikinglycdn.com/files/1319512b-780f-4a6b-975c-84a95540d02d/73100871808.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012d04.bin
0ed5d70febfb7d5ba4fc681af7e9613a4dde2a3398a924aa7acd53526d60f247		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D04 4920 bytes
font_01_sfnt_off00013dc2.bin
3d1de3ff2810170947356a1dbb9a0b902a4d854058439a14ba1b0e11ff7e3d25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13DC2 12840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.