Malicious PDF — malware analysis report

Static analysis result for SHA-256 83e2fe2902d8d80b…

MALICIOUS

PDF

78.2 KB Created: 2021-05-06 07:49:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cad7509f6ed9e649f9b3f5d9b0a26c48 SHA-1: 53a7e9b6d7566de22b1b9e3a7bb21cc819a173e7 SHA-256: 83e2fe2902d8d80bb4e6870795078a1af29c268f25d1f8c388ce1bedc6d6cc46
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to disposable domains, as indicated by the PDF_SEO_LINK_FARM and PDF_SEO_DISPOSABLE_LINK_FARM heuristics. The ML classifier and ClamAV also flagged this as malicious, with ClamAV identifying it as Pdf.Phishing.Trojan. The embedded URLs and the document body suggest a lure related to 'The Twits' Roald Dahl characters, likely to drive traffic to these link farms.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=the+twits+roald+dahl+characters
    • http://litagud.22web.org/character_development_sheet.pdf
    • http://fanewixijek.22web.org/29595959347.pdf
    • http://arevakar-travel.com/stairway_to_heaven_tabs_bassemdkr.pdf
    • http://erethiztzj.space/greek_mythology_family_tree_zeus4yqcg.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fujurojulode.rf.gd/99090058874.pdf
    • https://uploads.strikinglycdn.com/files/e16d2da8-c76c-49cb-a8e7-6f2333825c23/65973439600.pdf
    • https://f33d1b56-f518-462b-b61f-c1b5c1ba661c.filesusr.com/ugd/1c44ce_4d3c6c59335b4d1495e2839de4a5e28b.pdf?index=true
    • http://serumisa.epizy.com/tojedusepupen.pdf
    • https://cc968bdf-8a18-4a65-a72d-893c706ef441.filesusr.com/ugd/bae363_d47c09e661d64061bb2152f34906417f.pdf?index=true
    • https://e21f0dd0-e693-4a2a-aa38-6cab66162128.filesusr.com/ugd/34eed6_aae23c83d3f54735972ab9ba5099a449.pdf?index=true
    • https://d5aacb37-8766-4234-9cc8-c2ec3b911aba.filesusr.com/ugd/1e723b_f7a05ce08cde4507a40fb3f731d0f9fd.pdf?index=true
    • https://35b1a599-9f45-4897-82ce-59a931fc5495.filesusr.com/ugd/daca0d_f847028a7cb1466982f88e5441b99eec.pdf?index=true
    • https://ec2d952e-5494-46d8-b841-fee222248b17.filesusr.com/ugd/9713d5_a66f1dfe1fe94cb18a66672c3590f379.pdf?index=true
    • https://041aa876-b65b-432c-96c0-58c8b295a4e4.filesusr.com/ugd/90d19e_6d0d2d292c2d4c3b9060a1d1225d8165.pdf?index=true
    • https://e57d8632-f742-4524-ada6-9cdf759d9f13.filesusr.com/ugd/b0cb2d_449790144ffe4ed6a7140c054541ebdb.pdf?index=true
    • https://409b2d23-5c1d-402e-97df-26c0da9299b0.filesusr.com/ugd/2e3d42_09b6a6310ce243b783ba2d7cccf4daf8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dfe9767d-04d3-47aa-a11e-feac00e9f642/how_to_clean_burnt_stove_pans.pdf
    • https://uploads.strikinglycdn.com/files/c219e76e-edc7-4b51-8214-a335e5c8a2e4/why_is_my_linksys_router_blinking_red.pdf
    • https://88749095-6fd7-453f-8e8a-15b48fe47dd1.filesusr.com/ugd/e4d7df_a6008a9601b84d91a01000721f220d72.pdf?index=true
    • https://e61e9f85-32c5-4861-9fd4-b89109084c35.filesusr.com/ugd/2e4eb4_e63ce492d8874a44b73d97d46bb6e234.pdf?index=true
    • https://3568c1c9-c281-4b9a-9ea9-d5d291e0176b.filesusr.com/ugd/e5d8db_02d556be9793400fa2aa60d4487f1352.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f57d.bin
d81674f966bdd58206faafd7136a71067073f8da2c974e4c9d965b91cf9390af		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF57D 5068 bytes
font_01_sfnt_off000106c0.bin
dac07296ed890340c190d70967cabb356db25feeaf3064dcb8d6757928d63dfa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106C0 10856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.