Malicious PDF — malware analysis report

Static analysis result for SHA-256 831b6e13c428d844…

MALICIOUS

PDF

80.4 KB Created: 2021-03-31 10:10:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8d5f1d5acff31801df9d3b09e66e65f SHA-1: e818dc4dea81e3b6685ff2457a97ee4ebb7616fa SHA-256: 831b6e13c428d8440dd6604414a992dbe49abab4473d5595838fd98ae58b3cf7
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, many pointing to disposable domains, and is flagged by heuristics as a link farm designed for SEO manipulation. The primary malicious URL identified is https://midufefew.ru/123?utm_term=beach+buggy+racing+hack+android+1, which is likely used to distribute malware or conduct phishing. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/123?utm_term=beach+buggy+racing+hack+android+1
    • https://cdn.sqhk.co/wibetaxor/hi4gJje/76648985553.pdf
    • https://cdn.sqhk.co/nejibija/jcg8jfE/move_to_sd_card_apk_no_root.pdf
    • https://cdn-cms.f-static.net/uploads/4457272/normal_603f104a9cac1.pdf
    • https://cdn-cms.f-static.net/uploads/4450242/normal_60158363b1d4b.pdf
    • https://cdn-cms.f-static.net/uploads/4485591/normal_60551e3e6d6db.pdf
    • https://cdn.sqhk.co/fubafonu/jeLXgeo/rollercoaster_tycoon_world_story_mode.pdf
    • https://cdn.sqhk.co/jojojidatun/hbtRo71/current_account_surplus_in_spanish.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/rodiligarexo/198639577.pdf
    • https://uploads.strikinglycdn.com/files/d32cd015-7cb4-4638-bb09-c7a9ce9807f2/garalejalovirof.pdf
    • https://80cb706b-a9cc-40e6-9cd2-ad5688d6c4a8.filesusr.com/ugd/c84a73_0dc48c531c8947e0ba1173fd32727318.pdf?index=true
    • https://24218389-b518-4ca3-8548-65eaf758daa4.filesusr.com/ugd/c836c3_578b773889bc4c98a500894d0cbb7828.pdf?index=true
    • https://d5cf7a15-73c9-49c9-ad57-d4f0303abb0c.filesusr.com/ugd/0d002d_f52e57f4a4c045798fa78337a8ecb6ca.pdf?index=true
    • https://uploads.strikinglycdn.com/files/93fae7df-3eb0-41a4-bb20-a9ae3fb7bf28/mbti_pie_chart_test.pdf
    • https://409b2d23-5c1d-402e-97df-26c0da9299b0.filesusr.com/ugd/2e3d42_1417a7e7cb0a41b482f0cd98d3efd926.pdf?index=true
    • https://198ac300-f2de-41a8-aaa9-2df0d2bfefbb.filesusr.com/ugd/232b71_4d48182efb544d76814436f5290caba2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2d8bd155-c43f-406b-9b65-e67b59ecd601/chamberlain_liftmaster_professional_1_3_hp_wont_open.pdf
    • https://171e2b11-24ea-4535-acac-f971ec821c4b.filesusr.com/ugd/a07927_b5b126588e0c4ab58a749dea3c3bca24.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0e5c70cf-a971-403f-83d8-5852f53358c9/how_do_i_contact_better_business_bureau.pdf
    • https://s3.amazonaws.com/rokuwapesu/tusibetawojo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef86.bin
e94f8856debcd4523321a110ab9353ada4ef25a22df2c74a4a1da16cfe4c4cbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF86 5400 bytes
font_01_sfnt_off000101e7.bin
6e3cb384a85706c15ed3c14abd41ab7e2ed102ab78f4c23779af0f01ec87582d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101E7 22668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.