Malicious PDF — malware analysis report

Static analysis result for SHA-256 83e5d207dfff9908…

MALICIOUS

PDF

77.7 KB Created: 2021-06-02 10:24:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-01
MD5: 69c65294ad92b6fae15a5776fde07c5c SHA-1: ad5ecf7482de7752733b011edf24e7b757d84e49 SHA-256: 83e5d207dfff9908313380ac958811f27e946957590df25c979660aef8788d2e
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/pbw?utm_term=geometry+chapter+1+test+form+k+answer+key PDF link annotation
    • https://sazobumegeti.weebly.com/uploads/1/3/1/4/131407647/9714040.pdfIn PDF document text
    • https://javesuput.weebly.com/uploads/1/3/0/8/130873829/5279499.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489732/normal_6042dabf62649.pdfIn PDF document text
    • https://tojipojewusaw.weebly.com/uploads/1/3/0/8/130814735/renureririkibuw-sakov-vatolomabose-nodar.pdfIn PDF document text
    • https://jibeguviju.weebly.com/uploads/1/3/4/7/134723477/6850900.pdfIn PDF document text
    • https://deketonozalupu.weebly.com/uploads/1/3/3/9/133997688/1687137.pdfIn PDF document text
    • https://radiduma.weebly.com/uploads/1/3/4/3/134362755/xefalulivumo-lasarutazi-digurut-fijatokuwaboj.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501356/normal_60603c61e9b5a.pdfIn PDF document text
    • https://rolarijigajegij.weebly.com/uploads/1/3/1/4/131438579/fivisubuzevu-rivirabinatirid.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4484997/normal_605561c5804a2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393349/normal_601e027c584c9.pdfIn PDF document text
    • http://www.gust.org.pl/projects/e-foundryIn PDF document text
    • http://dejavu-fonts.org/wiki/LicenseIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/6645a523-c500-443b-bebb-35b9b8fc5ce8/zidifuvazoj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9b92bd79-7f74-4111-b608-5f407d9e00ac/directions_for_splat_hair_dye.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f0c27caa-a298-4c0b-b0d3-7764880450a2/monesuxudumetikafotafim.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8dc17d5c-82fc-41bf-93a5-7cb544fd1a63/engineering_drawing_sheet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d6f6efda-3119-4691-9f66-3843cc278b6f/40764889235.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eb0c99a4-8d9c-42da-b2fd-3f7b53b058ec/how_to_play_minesweeper_google_version.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/833fc699-3854-485c-8bf2-2b2ee5e60692/what_is_a_critical_evaluation_of_an_article.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b5591509-5477-48a8-beb2-7e1c13a1d0a2/55102645700.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5e6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE5E6 2012 bytes
SHA-256: 50c693ccc35c45ae36e4e8150e5e3a789f4afe8a9d468d91175ccd2ce887259e
font_01_sfnt_off0000eeae.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEEAE 5564 bytes
SHA-256: 281e85151a291d572710f01c87c382bcd2277ee9c49dcc9d4e22ebad3e982333
font_02_sfnt_off00010192.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10192 11532 bytes
SHA-256: 96156fa1f8e27e97923449b6f01afecbd6e792406bec957a2e12ee5906da0fd3