Malicious PDF — malware analysis report

Static analysis result for SHA-256 822d949f7734fd11…

MALICIOUS

PDF

68.8 KB Created: 2020-11-22 14:49:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-02
MD5: b4a7e3c27d7fc85c527db7be89d0c6aa SHA-1: 6ce55ac1791455fd327a63c1212fd10a648aceb1 SHA-256: 822d949f7734fd11a40a1ce93f03575d96d08d3c224f5a2419823cc9df9594cd
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/123?utm_term=drop+daed+2 PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4391599/normal_5fa5b9c3b81b6.pdfIn PDF document text
    • https://xidogofu.weebly.com/uploads/1/3/4/3/134307260/f80325.pdfIn PDF document text
    • https://jakemujilofadam.weebly.com/uploads/1/3/1/3/131380171/xesivolebuvarilusewo.pdfIn PDF document text
    • https://wetuxabo.weebly.com/uploads/1/3/0/8/130873937/dabetizux_gigaw_tivijadanojabor.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379849/normal_5f9f8ccc3be4f.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/a3a81048-cab5-4f96-abf9-3b5d2de89aec/puzalimolafebubote.pdfIn PDF document text
    • https://s3.amazonaws.com/jeworurowam/antigone_full_text_download.pdfIn PDF document text
    • https://s3.amazonaws.com/wamatasamegu/autoloader_for_blackberry_z10_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c62de283-058e-45e6-b3b2-1fd2b305bddd/furozezawimolo.pdfIn PDF document text
    • https://s3.amazonaws.com/bojafazes/android_sdk_manager_for_eclipse.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c4bf020f-a964-443c-b5df-2e4be94b7f7d/18979972187.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/20d7f050-4367-4951-9f39-fe066655c398/12031178721.pdfIn PDF document text
    • https://s3.amazonaws.com/wuniku/kugaxeladoxevejo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8e1b48f9-2533-43cb-be25-ff99d6a1740d/sapobevuta.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/410d3a50-1991-4f95-adf5-b8c38ccb7914/dream_serenity_memory_foam_pillow.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d6513097-2ce0-4454-b032-2447c0fd25f4/zovuzisisaxim.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bd01.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBD01 4872 bytes
SHA-256: d5aec8d75bef78cf470c8aceb6fa0e20d90a9a23a9b429b23765a73d307fa7b6
font_01_sfnt_off0000cda3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCDA3 10492 bytes
SHA-256: e5cb178bc11600b763e0b56c920d3f3e538a00844a66dc112539196a9fd3113b
font_02_sfnt_off0000f1d1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF1D1 16084 bytes
SHA-256: bf5ec4383cdf52cad07d346b2843a66e6085f1f3054c326d01423588993556d9