Malicious PDF — malware analysis report

Static analysis result for SHA-256 9017f64f78b5b836…

MALICIOUS

PDF

113.0 KB Created: 2021-04-30 22:01:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 2fb1ab46e423ddb66f469d574abf17d4 SHA-1: 509ee80f9e17f9f05bd73c866aec90f32cb281ef SHA-256: 9017f64f78b5b836fea58ed8c570734cee4d396a2c1cf4dc67d996bb927fd5f4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9772

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=vox+ac15vr+manual PDF link annotation
    • https://ragivigelogupow.weebly.com/uploads/1/3/4/5/134525503/lumiguw.pdfIn PDF document text
    • http://whalesqpa.fun/varekokizemafudvwe1c.pdfIn PDF document text
    • http://good-production16.site/zilebirnwyh3.pdfIn PDF document text
    • http://contentmedialiteracy.com/pebble_watch_model_301blj28rr.pdfIn PDF document text
    • http://legendnat.space/ufc_254_fight_card_time7vaar.pdfIn PDF document text
    • https://zuxafovofava.weebly.com/uploads/1/3/4/8/134867840/2298835.pdfIn PDF document text
    • https://vumimexuderuwaz.weebly.com/uploads/1/3/1/8/131871863/6728631.pdfIn PDF document text
    • https://zetejuxir.weebly.com/uploads/1/3/4/3/134338478/1849920.pdfIn PDF document text
    • https://fakivafepupu.weebly.com/uploads/1/3/0/8/130873921/wivudifizesu-gaxadovox-luragofar-jodalemeji.pdfIn PDF document text
    • http://tokio-2020.fun/wosomop93f81.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.fontrix.comhttp://www.nhncorp.comIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://1094d5c0-a920-47c7-a1de-7e2d56a92d84.filesusr.com/ugd/47b1e8_7e1794107070470f98a36d1d4bdebe5f.pdf?index=trueIn PDF document text
    • https://30de3caf-c510-4ce9-8691-b8280dc60d9b.filesusr.com/ugd/4980ee_e0afb8836b2a48399e45885853c038df.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/xilasisefi/81154859497.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eae3abad-8f66-4fd3-9424-5a88eeec6d29/when_was_christianity_introduced_to_the_philippines.pdfIn PDF document text
    • https://s3.amazonaws.com/posufij/71372615969.pdfIn PDF document text
    • https://bb55feb6-a0c4-48ae-8f72-aea2c45912f8.filesusr.com/ugd/b9801a_004e7eceb7d744089ba2acdd800ac311.pdf?index=trueIn PDF document text
    • https://3caa4030-7dd6-4be4-8a8a-e1981c45b3cd.filesusr.com/ugd/704988_01fa4604114349c38e1da4012393f852.pdf?index=trueIn PDF document text
    • https://d17f4099-ecc1-42b1-9c73-51521793457c.filesusr.com/ugd/4a2613_15a1532e330d464286abfbb02b4d93a3.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/banula/short_stories_in_english_for_childrens_to_read.pdfIn PDF document text
    • https://s3.amazonaws.com/bomifabipi/revexupelet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b123846b-b80b-41eb-ba76-c5fcf5834950/linux_networking_interview_questions_and_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/zuses/metal_cladding_sheet_size.pdfIn PDF document text
    • https://s3.amazonaws.com/bezegoluzose/target_threshold_twin_fitted_sheet.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011092.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11092 3528 bytes
SHA-256: 6bb51647102ba16d161fd5246a8d8b9ab7e9e887dc126d9f0beca6cc37b00359
font_01_sfnt_off00011d23.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11D23 4672 bytes
SHA-256: 9d29d409ac8708690490a329d5debec4700f125f41373282bb2dfac2e043fc2c
font_02_sfnt_off00012ce5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12CE5 3992 bytes
SHA-256: 3a22ad57fc344cc97733ae57b5f82abd0228d68a3d60ba4e6050f1da2789c059
font_03_sfnt_off0001395b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1395B 1532 bytes
SHA-256: c3d206acd4941be18df4fb7d5b171c6fae20253f2362154696fe192bead5df0b
font_04_sfnt_off000141b1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x141B1 17000 bytes
SHA-256: 3ba8bf35e475ba3cc8f5e75d7b543d983614b8f0c1c48fabdb7b71a2ed74f8e0
font_05_sfnt_off000176ef.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x176EF 16668 bytes
SHA-256: c6719855153f8bd7a5f255be6c8c5b9be53e50d837b5f43b903a22d9b7cabe69
font_06_sfnt_off00018e08.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18E08 2180 bytes
SHA-256: cbba16cc580db49bbc873289a34d61d020cb53418d354ef99ec9a7d820fef677
font_07_sfnt_off00019738.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19738 4324 bytes
SHA-256: 4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3
font_08_sfnt_off0001a4f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A4F9 6060 bytes
SHA-256: 18b6db6700300510989a0eab44ae4b1860c80ab0b4a63bc36948052babf2ffbe