Malicious PDF — malware analysis report

Static analysis result for SHA-256 87f7e02ed722a7ec…

MALICIOUS

PDF

67.0 KB Created: 2021-03-19 06:08:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 74cbcf16d6b785f46952c77157e13b96 SHA-1: 5999b9d7d2264d94c926bcbffed34c4ea3fbb72a SHA-256: 87f7e02ed722a7ece1698badb16a08d15a592046502d1360c2c2919a1cbda8c4
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=sector+de+alimentos+y+bebidas+en+ecuador PDF link annotation
    • https://cdn.sqhk.co/zurefaxenov/p5igjhc/nimowavubaneg.pdfIn PDF document text
    • http://legiontry.online/download_royal_robots_battleground_mod_apkzz3mf.pdfIn PDF document text
    • http://cyberlife.store/how_to_use_bissell_little_green_portable_deep_cleanershl33.pdfIn PDF document text
    • https://cdn.sqhk.co/dekawako/hi3jfGn/pad_footing_design_spreadsheet_bs_8110.pdfIn PDF document text
    • http://jidobefom.iblogger.org/whatsapp_app_free_for_nokia_x2-_01.pdfIn PDF document text
    • https://cdn.sqhk.co/fanasuzajem/dq5sqCN/18823990863.pdfIn PDF document text
    • http://nashremont.site/how_large_is_human_traffickingldwhg.pdfIn PDF document text
    • http://pagebake.com/list_of_gnostic_archonsm2u1w.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387582/normal_6046bc4797c3c.pdfIn PDF document text
    • http://netewe9.xyz/tukivibupagowoib7xv.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4445107/normal_5ff3f0d089c30.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375358/normal_60184ecbf21f2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4485711/normal_6023e36a41283.pdfIn PDF document text
    • http://yesstore.pro/lake_ontario_salmon_report_2019n3655.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://zunaxixe.rf.gd/forgot_password_email_template_laravel.pdfIn PDF document text
    • http://riwexakax.epizy.com/electrical_engineering_mcqs_book_by_handa_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/80383585-44a2-4e19-8c64-48a8fa6944fa/the_pop_rock_and_soul_reader_3rd_edition_ebook.pdfIn PDF document text
    • http://pejefovad.epizy.com/watchmen_episode_1_parents_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/37523040-cb00-434f-b6ca-1e6fb6080e9f/49277515088.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3f15c41b-8d3d-4ef8-a5f8-ba8607c14941/power_of_information_technology_enabled_services.pdfIn PDF document text
    • http://kajonefev.rf.gd/financial_risk_management_books.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c8b0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC8B0 5428 bytes
SHA-256: f749a5cbd26700734d47277d89b575ce82388e8325add6ba03071b5639eda0dc
font_01_sfnt_off0000db12.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDB12 10844 bytes
SHA-256: b7a0eb1cfb93a28cda48acacc8d3f357e910ca2725ab771714c3886bcd47c1d5