Malicious PDF — malware analysis report

Static analysis result for SHA-256 83542c8ed51d4214…

MALICIOUS

PDF

89.9 KB Created: 2020-11-30 21:55:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 4230c33b73702e154c70710dbef0c5c4 SHA-1: 15c4584b01ceb8a9bf787b7220ab5d21cb706181 SHA-256: 83542c8ed51d4214b6b07028304680832ef43cf5610aef72746eb0552ab943db
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, appears to be a lure related to a book title, suggesting a phishing or scam attempt. The presence of multiple external links, including one to a malicious domain, indicates an attempt to redirect the user to a compromised or malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?utm_term=to+kill+a+mockingbird+n+word In PDF document text
    • https://sazojowob.weebly.com/uploads/1/3/4/3/134351878/3977601.pdfIn PDF document text
    • https://sifumoxijobobo.weebly.com/uploads/1/3/4/4/134493963/f89ba113485462c.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/3749fe0f-dd71-4a98-9ec5-94e9a3dcf68e/6590801511.pdfIn PDF document text
    • https://s3.amazonaws.com/bokelur/wiwuvumamogelo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6221be5f-dadc-43fd-8bbe-3ccf75e54f38/underground_history_of_american_education_audiobook.pdfIn PDF document text
    • https://s3.amazonaws.com/xifabilejilab/tera_guide_github.pdfIn PDF document text
    • https://s3.amazonaws.com/bededuxotulapil/are_religions_ethnic_groups.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/11b1a3c7-89c9-44a7-b1aa-bc882db0c284/tugitilafejelavupuwozapez.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f1ac46a4-1f07-4c31-8122-a6d836722547/vevikofetagumixomukevu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/58286f07-76d3-48d5-85a5-f005b98900f0/38026499730.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/81ebb822-dc74-4295-b229-ca6d66a83dbe/67100882007.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b22eefda-47f6-4582-8c5b-4662685ccd1e/73890270849.pdfIn PDF document text
    • https://s3.amazonaws.com/badodemebo/3rd_party_logistics_companies_in_boston.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off000131e1.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x131E1 23328 bytes
SHA-256: 9c817b49d22821425dd7f8f28451d006c118add85f560b6bcbdff1f3df3b7e4b
font_00_sfnt_off0000fdac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFDAC 5328 bytes
SHA-256: 1aaf190d6bcd6eb8cbc93c8df4968a6490fc4767c25504b0794eb9cb29b1879c
font_01_sfnt_off00010fbd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10FBD 9884 bytes
SHA-256: 710cc5270056c009003b5cc6cf649187582f90d882c5865485f7997c2246455d