Malicious PDF — malware analysis report

Static analysis result for SHA-256 8b90ef0b93127bdd…

MALICIOUS

PDF

91.0 KB Created: 2021-05-13 19:55:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 1502d4116256cc7202f1522871fb9058 SHA-1: 277e4380351cca6e5c4a2fc9651166a47271bda5 SHA-256: 8b90ef0b93127bddf4c28ecfdd02d12b741068942095a90ab2b9808097cb3d98
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document uses a lure related to fishing to disguise its malicious intent. It contains numerous embedded URLs pointing to disposable domains, indicating a phishing or scam attempt. The ML classifier and ClamAV detection strongly suggest maliciousness, likely related to phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=how+to+rig+shrimp+for+redfish PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4469834/normal_603d6f5f43756.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4457572/normal_60582e2b711c7.pdfIn PDF document text
    • http://richteam.site/55252120931w4qe0.pdfIn PDF document text
    • http://idealicaitalia-ufficiale.site/casio_wk_110_instruction_manualto7h9.pdfIn PDF document text
    • http://shopwithsale.website/70991986585xcwvj.pdfIn PDF document text
    • http://afracheat2.xyz/ac_market_pro_apk_latest_versionvp6ne.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366327/normal_60325ac6ad394.pdfIn PDF document text
    • http://lnstagramverifiedsbadgeforms.com/electrical_power_system_design_by_deshpande_free_downloadgpz43.pdfIn PDF document text
    • http://vixurefivero.66ghz.com/how_does_projection_mapping_work.pdfIn PDF document text
    • http://verifedform.com/pifujedepkbji3.pdfIn PDF document text
    • http://hookup153.fun/chistes_de_paolo_ladino_escritosw7pxn.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470223/normal_6064bf6984e9c.pdfIn PDF document text
    • http://ttop-shop.com/padumarispfrqa.pdfIn PDF document text
    • http://usesucre.pro/resifojokudirunuwujuxidd21lz.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://muburenimigalu.epizy.com/national_interest_of_pakistan.pdfIn PDF document text
    • http://mujewuliruj.epizy.com/8447580327.pdfIn PDF document text
    • https://02796127-04ec-4c85-b270-c6f7310ebb18.filesusr.com/ugd/ce0e6d_7c5f6a6a297c42c7b7b120ad1a34d1ae.pdf?index=trueIn PDF document text
    • https://f495c71d-628d-4070-9a3d-b699cbb46ba4.filesusr.com/ugd/d99ef3_82ab538d2d8648f5b24203b5f6ce8160.pdf?index=trueIn PDF document text
    • https://f26e6bca-ce10-4524-9610-ed5ef7c8d48b.filesusr.com/ugd/ac8c68_aa2877abe6ba4e55801f0dabd935535c.pdf?index=trueIn PDF document text
    • https://357b8bef-7330-4cfe-b31d-389db25c4d5a.filesusr.com/ugd/4c76bf_6a091704d4b445e1bf11090f5b763298.pdf?index=trueIn PDF document text
    • https://cc4f1b1a-08c7-467e-bb5a-e3073ad8caf1.filesusr.com/ugd/ffc175_e51a112b4cad4d198aac845f74c819a4.pdf?index=trueIn PDF document text
    • https://bb55feb6-a0c4-48ae-8f72-aea2c45912f8.filesusr.com/ugd/b9801a_ea2451e3f552452fb3ce19d4efa29243.pdf?index=trueIn PDF document text
    • http://nivodonugito.rf.gd/75255959269.pdfIn PDF document text
    • https://13a7c488-548c-4b48-b567-d2b0b9a3e1de.filesusr.com/ugd/85d67f_b22ded57d1c04ee3a3112910c99beb8d.pdf?index=trueIn PDF document text
    • https://ececae0b-1312-4a4c-959a-117928b3d478.filesusr.com/ugd/e6721e_36cfe3b15b25453fb5f4f554809efd4e.pdf?index=trueIn PDF document text
    • https://30383b9b-b26a-44f4-9a26-03873af8f03c.filesusr.com/ugd/fdee49_dedc08ce13a64ac4b16e6c6dde7788f0.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012787.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12787 5264 bytes
SHA-256: 6613561d7256e5aa23841d78a461ffa4460470987c4871c05c3cc968e4929c05
font_01_sfnt_off0001395c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1395C 10888 bytes
SHA-256: 925e4350cc8f35da6cce426a954a66043b41ab137d8af73eae80b796880e57a3