Malicious PDF — malware analysis report

Static analysis result for SHA-256 7caea59ba3d955b8…

MALICIOUS

PDF

76.3 KB Created: 2021-03-17 21:36:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 90017242dc727b516b7480df637e8cc9 SHA-1: e81fdba0b2d3090940edb7fedd8d21776885640a SHA-256: 7caea59ba3d955b80c70501454fdb598de789fb209c93df9099d12afb7ccc8d0
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users. The heuristic PDF_SEO_LINK_FARM and PDF_SEO_DISPOSABLE_LINK_FARM indicate this behavior. The embedded URLs and the ClamAV detection (Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0) strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=why+does+my+bose+cd+player+skip PDF link annotation
    • http://keysecret.ru/10976956714w3u4v.pdfIn PDF document text
    • https://sulunekuzesafap.weebly.com/uploads/1/3/1/4/131406846/tobugusig_lumazik_kidoxusaxusa_pogefog.pdfIn PDF document text
    • http://jawazapefaxuzit.mywebcommunity.org/kepepaf.pdfIn PDF document text
    • http://lenusabipowezo.getenjoyment.net/14447333210.pdfIn PDF document text
    • https://razixaluzelel.weebly.com/uploads/1/3/4/8/134857706/tutebovevudin.pdfIn PDF document text
    • http://nesorus.mywebcommunity.org/the_body_electric_book_review.pdfIn PDF document text
    • http://idem-peshkom.ru/12460717939zlbfh.pdfIn PDF document text
    • http://sekelenogake.getenjoyment.net/basic_notes_of_financial_accounting.pdfIn PDF document text
    • http://cashbackmoney.info/does_adp_have_a_time_clock07oef.pdfIn PDF document text
    • https://fezimadi.weebly.com/uploads/1/3/4/4/134487715/kugasuke.pdfIn PDF document text
    • http://tameeniraq.com/sql_textbook_onlineems2l.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://8ecf7690-1f99-4e28-a4b6-3228ba9731d7.filesusr.com/ugd/63d3ad_1a3af4b794bd42d88c7e612c30d65d53.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/2b4f9f74-567a-4266-b419-e1c42740d81a/why_does_my_sony_tv_turn_on_by_itself.pdfIn PDF document text
    • https://s3.amazonaws.com/ximupuv/uc_browser_apk_indir_android_2._3.pdfIn PDF document text
    • https://5c2cca0d-3a4e-48b0-93bf-8ac6c0c026cb.filesusr.com/ugd/271e65_7e8a99e3245a44eaa1ff048050633ef9.pdf?index=trueIn PDF document text
    • https://f1cb2ec4-a82d-4768-8a06-5236a2db220e.filesusr.com/ugd/a2e20a_cf7f6c77b3994f48847fdd92b1aa27e7.pdf?index=trueIn PDF document text
    • https://a6132035-7465-4fe4-be4e-2faa96c22dab.filesusr.com/ugd/cf950b_04cd98658ebd4c3d94fe75a7567f60db.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/fajixe/tuxogozoja.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2f75421a-2613-4c2d-83a5-d6d4f86c3e54/evan_moore_pals_kerosene.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/42da1da3-a5c3-423c-8315-d416c6c20c55/is_sulfur_ionic_or_molecular.pdfIn PDF document text
    • https://s3.amazonaws.com/bomifabipi/detekuninosat.pdfIn PDF document text
    • https://21c505bb-01ca-4817-a549-4ed1ebba5040.filesusr.com/ugd/7d7105_3f4f983c264744389b4226ec00074ff1.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/7129852d-ffd9-421c-b090-334f628df3c8/questions_to_ask_when_interviewing_a_small_business_owner.pdfIn PDF document text
    • https://s3.amazonaws.com/fakuguvil/how_to_play_bongo_drums_beginners.pdfIn PDF document text
    • https://s3.amazonaws.com/wikurixobelu/android_studio_javascript_tutorial.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb29.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB29 5632 bytes
SHA-256: 5cec8c8ade381cfa7ac4d3585f3e566379a8de6175cb171cc0e0676c9f7d17e3
font_01_sfnt_off0000fe33.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE33 10972 bytes
SHA-256: 5c3a44756805420f318f0ff3b3d699d4bb2b568561d037eceee72ec97b294ed9

Open this report in the interactive analyzer, or submit your own file for analysis.