Malicious PDF — malware analysis report

Static analysis result for SHA-256 87541224c9c4a1e4…

MALICIOUS

PDF

84.0 KB Created: 2021-03-27 11:08:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: a2b1c7a37e87c46d9325e8ddd4de4b3b SHA-1: 709664ad21d13bec99bbe7936dee90ec1b999a8f SHA-256: 87541224c9c4a1e40bc04c4cae10e3390371f7046a2241ca6d4d633923e3b6db
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/award?keyword=aktiv+passiv+englisch+%25C3%25BCbungen+pdf+mit+l%25C3%25B6sungen PDF link annotation
    • https://dodesagetulisuv.weebly.com/uploads/1/3/4/9/134902864/purur.pdfIn PDF document text
    • https://xogubopuvemaf.weebly.com/uploads/1/3/4/7/134768150/bifik-pisarutasez-gedagu.pdfIn PDF document text
    • https://vagepawesiger.weebly.com/uploads/1/3/4/5/134516176/tujipamugaguvojemi.pdfIn PDF document text
    • https://ligofaxudatejot.weebly.com/uploads/1/3/0/7/130739538/xuzuwipis.pdfIn PDF document text
    • https://dizegeduwawab.weebly.com/uploads/1/3/4/3/134374994/933971.pdfIn PDF document text
    • https://genezekanoz.weebly.com/uploads/1/3/1/4/131413678/637013e.pdfIn PDF document text
    • https://bateworolod.weebly.com/uploads/1/3/4/3/134315912/99c3170125ebc79.pdfIn PDF document text
    • https://cdn.sqhk.co/fegukajebaj/hjZhdih/mafamipe.pdfIn PDF document text
    • https://kezugefoluvero.weebly.com/uploads/1/3/1/8/131856244/sudixakadu-kagixisuwago-zutaduwin.pdfIn PDF document text
    • https://bigevavez.weebly.com/uploads/1/3/4/0/134016854/6657311.pdfIn PDF document text
    • https://kesazawen.weebly.com/uploads/1/3/4/4/134401730/xamaxebami-gojigepeja-tanegoxiziveb-sanat.pdfIn PDF document text
    • https://megularebenava.weebly.com/uploads/1/3/1/1/131164421/dokoj-zizinofa-nopujafenad-robivuzewako.pdfIn PDF document text
    • https://cdn.sqhk.co/vutowogipu/djfidrB/define_geotechnical_report.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://0df6220b-9630-4647-aab6-0d9db69b9d59.filesusr.com/ugd/8b97dd_b1efc9c75edd4623895d0357fa5cd83f.pdf?index=trueIn PDF document text
    • https://ede36962-9452-4451-b182-fa4236ba9bc6.filesusr.com/ugd/83b1b3_2d21e4673d45487b8e83aeebdc28c930.pdf?index=trueIn PDF document text
    • https://9f349447-249b-4747-956a-316fe86e371b.filesusr.com/ugd/d2b720_c3a1df9ebb3e47a0821f2bfdfe5e791c.pdf?index=trueIn PDF document text
    • https://7ffe38df-ef78-47a1-8632-a9c579db478a.filesusr.com/ugd/8ff694_96b9590e0c2d4870959e3ece87727a18.pdf?index=trueIn PDF document text
    • https://01dc7cc6-b8ed-446e-8cc8-1ad78882ed38.filesusr.com/ugd/e23fbb_a48bf70c6a7b449dab30f7c89066fd5e.pdf?index=trueIn PDF document text
    • https://e61e9f85-32c5-4861-9fd4-b89109084c35.filesusr.com/ugd/2e4eb4_de9a2e507b584ab5ab17459017fef86e.pdf?index=trueIn PDF document text
    • https://1b6fe947-be7e-4494-9a94-f566f178d3d1.filesusr.com/ugd/89064d_89718dc5f4a34af3a96db0d53e881d54.pdf?index=trueIn PDF document text
    • https://1b3fde16-7575-45ba-b40e-8916c64185ca.filesusr.com/ugd/8874e8_8f22bc6061e145b899f9f7e3b5a17be0.pdf?index=trueIn PDF document text
    • https://ac65beef-1c88-4b01-a948-251493ed82f2.filesusr.com/ugd/09857b_515a95db81044d5cb59dd4dc0bb9bcb5.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efa0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEFA0 5984 bytes
SHA-256: 7861855ea722e92735007f1722f66c88ea48ad6af80a1b3abd9234833498ee5b
font_01_sfnt_off00010363.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10363 11628 bytes
SHA-256: fbf93370cb642fc92914c20390779bf9199e43506dfa1cc0c21dd0b726fda437
font_02_sfnt_off00012a41.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12A41 16204 bytes
SHA-256: 31aa257675234f953cb39254c73a0c002637764ec2691c470e0912636c3685cf