Malicious PDF — malware analysis report

Static analysis result for SHA-256 82109401a040a9c1…

MALICIOUS

PDF

89.3 KB Created: 2021-04-27 06:18:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 72a848000b137b3ed0daff1e59381351 SHA-1: 97a51d8b6957003f6f163e4e549bbf89bb53b461 SHA-256: 82109401a040a9c1adea95b485ef86c2b6be8b7c22e5f898215c2ed69d3766ec
286 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The PDF contains an embedded script and multiple external links, many of which are part of a link farm. The document body and heuristics indicate a lure involving 'Windows powershell unzip command line', suggesting the embedded script or linked content is designed to execute PowerShell commands to download and run a secondary payload. The ClamAV detection and ML classifier strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 9

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=windows+powershell+unzip+command+line PDF link annotation
    • https://cdn.sqhk.co/xamowizaso/drii0KE/13847956457.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4368466/normal_5ff6d4051c0aa.pdfIn macro / runtime command snippet
    • http://refazali.mygamesonline.org/understanding_and_using_english_grammar_red_book.pdfIn PDF document text
    • https://gefeteki.weebly.com/uploads/1/3/4/3/134310298/pumejalejedalimi.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4495385/normal_604164379f8e2.pdfIn PDF document text
    • https://cdn.sqhk.co/rolaravez/h0hcZje/raid_shadow_legends_youtuber_codes_2020.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369343/normal_6012f3731f2c6.pdfIn PDF document text
    • https://cdn.sqhk.co/maxevurux/dghKihz/vinoveluturugoloba.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4378153/normal_5feb35f4dc41e.pdfIn PDF document text
    • https://gagetagij.weebly.com/uploads/1/3/2/6/132695244/wigitoku.pdfIn PDF document text
    • https://cdn.sqhk.co/baluwofuk/ij3Sgel/10_best_heroes_in_castle_clash.pdfIn PDF document text
    • http://kubarabonexomi.iblogger.org/kixakeja.pdfIn PDF document text
    • http://lazotub.mywebcommunity.org/24902123974.pdfIn PDF document text
    • http://mekujoviwe.mypressonline.com/95461562531.pdfIn PDF document text
    • https://cdn.sqhk.co/zuzipogowita/iG8Dojb/90290490330.pdfIn PDF document text
    • https://cdn.sqhk.co/xamowizasoIn macro / runtime command snippet
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://likawunudonanep.epizy.com/bhakta_prahlada_movie_audio_songs.pdfIn PDF document text
    • https://s3.amazonaws.com/lemerisinivum/jorexawuma.pdfIn PDF document text
    • http://luvetux.myartsonline.com/rainbow_fish_book_storyline.pdfIn PDF document text
    • http://pevipitoz.atwebpages.com/biroxek.pdfIn PDF document text
    • https://s3.amazonaws.com/mizeteb/the_urban_farmer_denver.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00015fc1.bin pdf-embedded-script PDF raw stream script payload at offset 0x15FC1 1634 bytes
SHA-256: 93c8d90a213840b9a6941aee05a3d78573e469c4dc55c54654ac9db4985e5688
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?>
<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='LibreOffice Draw'>
<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>

 <rdf:Description rdf:about=''
  xmlns:dc='http://purl.org/dc/elements/1.1/'
  dc:format='application/pdf'>
  <dc:creator>
   <rdf:Seq>
    <rdf:li>Jimova Wazugawe</rdf:li>
   </rdf:Seq>
  </dc:creator>
  <dc:description>
   <rdf:Alt>
    <rdf:li xml:lang='x-default'>Windows powershell unzip command line.          Instantly share code, notes, and snippets.                            You can’t perform tha</rdf:li>
   </rdf:Alt>
  </dc:description>
  <dc:subject>
   <rdf:Bag>
    <rdf:li>Windows powershell unzip command line.          Instantly share code, notes, and snippets.                            You can’t perform tha</rdf:li>
   </rdf:Bag>
  </dc:subject>
  <dc:title>
   <rdf:Alt>
    <rdf:li xml:lang='x-default'>Windows powershell unzip command line</rdf:li>
   </rdf:Alt>
  </dc:title>
 </rdf:Description>

 <rdf:Description rdf:about=''
  xmlns:pdf='http://ns.adobe.com/pdf/1.3/'
  pdf:Producer='LibreOffice Draw'/>

 <rdf:Description rdf:about=''
  xmlns:xmp='http://ns.adobe.com/xap/1.0/'
  xmp:CreateDate='2020-04-28T16:15:53'
  xmp:CreatorTool='LibreOffice Draw'/>

 <rdf:Description rdf:about=''
  xmlns:xmpMM='http://ns.adobe.com/xap/1.0/mm/'
  xmpMM:DocumentID='fd9042a0-fc86-4aeb-81fc-ec311acc9959'
  xmpMM:InstanceID='c716d720-96a4-4340-a548-4dda333c68f3'/>

 <rdf:Description rdf:about=''
  xmlns:xmpRights='http://ns.adobe.com/xap/1.0/rights/'
  xmpRights:Marked='True'/>
</rdf:RDF>
</x:xmpmeta>
<?xpacket end='w'?>
font_00_sfnt_off0000edf3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDF3 5268 bytes
SHA-256: c1ba93459778562de21b7808a50ba59f358dccb6828c5e4d78aacbba1d40c426
font_01_sfnt_off0000ffb7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFFB7 3416 bytes
SHA-256: edefef72bb427f15f82b4927985f88d73334dea0652c76644b49789300708731
font_02_sfnt_off00010d4d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D4D 10384 bytes
SHA-256: f55fef245f6e67b5c4105896fc2bd81d2254ecfa0d343e440ed6ad497dd51daa
font_03_sfnt_off00013127.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13127 16256 bytes
SHA-256: 726e9a6d9d7406af9030ee840b4adc32054669c8a0c10173e64b143e3b91b4c6
font_04_sfnt_off000146a5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x146A5 4324 bytes
SHA-256: ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230

Open this report in the interactive analyzer, or submit your own file for analysis.