Malicious PDF — malware analysis report

Static analysis result for SHA-256 82ffa81bd897e9ed…

MALICIOUS

PDF

107.6 KB Created: 2021-03-31 00:13:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 11b6864adc3f3e817dedce1feea124b1 SHA-1: 2b28533df62ab59bc38c1365db3eb8a337ac738e SHA-256: 82ffa81bd897e9ed85397878acc6485f4b6742f2e3f442ee231a60921c145a0b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=le+bilinguisme+en+alg%25C3%25A9rie+pdf PDF link annotation
    • http://xisibopixemuzu.22web.org/world_stock_markets_opening_times_gmt.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/jifesu/lpic-_2_study_guide_5th_edition.pdfIn PDF document text
    • https://b6f97e74-198a-461d-a312-d71b9712332b.filesusr.com/ugd/a2d007_85404d60fc2a4f0ab4ff1380cd13bddf.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/sajatofubote/how_to_measure_impact_in_quantitative_research.pdfIn PDF document text
    • https://3eeb541e-75be-486c-a732-b1e279b2a932.filesusr.com/ugd/eaab1c_8343f19f973046bf9dc220a391da56e7.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/bojafazes/10457803854.pdfIn PDF document text
    • https://s3.amazonaws.com/vibuvomomuv/median_gdp_per_capita.pdfIn PDF document text
    • https://2d841ef3-a248-4e6a-996b-2d54d6713fdd.filesusr.com/ugd/1decf9_394cce3ac1394be8a1ff3659ad5601bb.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/mudurixo/video_storyboard_template_excel.pdfIn PDF document text
    • http://wutowaxodod.epizy.com/beautiful_nubia_all_songs_free.pdfIn PDF document text
    • http://voworugifajav.epizy.com/97229014667.pdfIn PDF document text
    • http://minudumira.rf.gd/liwudifun.pdfIn PDF document text
    • https://s3.amazonaws.com/gofilafixu/37706396628.pdfIn PDF document text
    • http://lokuweva.rf.gd/litosefikewisomasurori.pdfIn PDF document text
    • https://s3.amazonaws.com/muvojugejoxip/child_of_light_switch_performance.pdfIn PDF document text
    • https://23751d96-d7b3-42ca-b8ca-e459b671ea95.filesusr.com/ugd/7de994_b44d89bef089455fad47c997b65307cd.pdf?index=trueIn PDF document text
    • https://729282ec-1290-4cbc-9302-cf8a24acd4c7.filesusr.com/ugd/42c189_af68da97da534cfb8e6dc0187df1e1cd.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000162f5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x162F5 5584 bytes
SHA-256: d03ec5e4a5105a8af4a68206fae63fbb6daf1963e8e2d2015cfbcc7a3230d403
font_01_sfnt_off00017591.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17591 13240 bytes
SHA-256: 37396ff5f3c10a55faee00a9d3b7e113789ee02ff1e5b88c85d1cfd29b063768