Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c1e6c0028a95c80…

MALICIOUS

PDF

94.8 KB Created: 2021-02-16 13:13:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 4f76938c38f117ad34e9e402b3111b4e SHA-1: ff272810fa32d6b80b7fc5273155cd705c9f2c4f SHA-256: 8c1e6c0028a95c804c6085f62376be2102f36db1359223033e80a51b5e8f65e3
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to disposable domains, and is flagged by ML classifiers and ClamAV as malicious phishing content. The document body, though heavily obfuscated, suggests a lure related to educational worksheets. The presence of embedded URLs indicates an attempt to redirect the user to malicious sites for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/wix?keyword=section+1+reinforcement+electric+charge+worksheet+answer+key PDF link annotation
    • http://cmb-accueil.com/munchkin_cards_descriptionv7jsx.pdfIn PDF document text
    • https://cdn.sqhk.co/funixatugesi/PQZhegh/cara_top_up_gojek_driver_via_bca_mobile.pdfIn PDF document text
    • http://flowerport.market/vibemotavorapouxodh.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375522/normal_6009d8b3c9d54.pdfIn PDF document text
    • http://kagotigidiwijar.iblogger.org/kadafugutetal.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4403951/normal_6004b184e364f.pdfIn PDF document text
    • https://cdn.sqhk.co/fixuzigetir/gc9FWKl/ice_cube_crusher_walmart.pdfIn PDF document text
    • http://suwidixofev.iblogger.org/literary_terms_worksheets_printable.pdfIn PDF document text
    • https://sawuwirepugasup.weebly.com/uploads/1/3/0/9/130969548/c496135838a.pdfIn PDF document text
    • http://cybety.xyz/bekiguse1wk.pdfIn PDF document text
    • http://verifybadgehelp.com/dogumufiteytyi2.pdfIn PDF document text
    • https://cdn.sqhk.co/volinafi/ighdij2/51307905962.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4488804/normal_601b363eef961.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://judutuv.epizy.com/taxizasefigagoluz.pdfIn PDF document text
    • http://xatudoxi.epizy.com/adobe_reader_10._1_free_filehippo.pdfIn PDF document text
    • http://dimogotewebi.epizy.com/bleacher_report_nfl_picks_week_6_2019.pdfIn PDF document text
    • http://pupisovid.epizy.com/mexixifiwedige.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001046f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1046F 5496 bytes
SHA-256: edf703fa2235b81112a37b4961c5c9bc78b01370abf5eea32307af8dc88889d3
font_01_sfnt_off000116f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x116F9 14804 bytes
SHA-256: 5eaace359dbd814838c6b5fca39bfb81caeefc10d484bd21edc46d224a993875
font_02_sfnt_off000146e6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x146E6 16904 bytes
SHA-256: cce2988d913607c71b9b0954edd55b1224a5ee9bdbdd689d6338bedc4d85a7b9
font_03_sfnt_off00015e9b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15E9B 4324 bytes
SHA-256: 1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361