Malicious PDF — malware analysis report

Static analysis result for SHA-256 909c2e2051927420…

MALICIOUS

PDF

193.3 KB Created: 2021-05-10 04:30:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: 29c764e257d4185d448e36c0616dca29 SHA-1: e01f92e5d96bc98587e5767a10b07fb152ad637d SHA-256: 909c2e205192742005b1c5c37ee01ed1b1c923d8e55ebce894a92711e3283cb4
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is a link farm on disposable hosting, designed to redirect users. The embedded URL and the document body suggest a lure for downloading content, which is a common phishing tactic. ClamAV detection further supports the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6803

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=lord+of+the+rings+all+parts+download+free PDF link annotation
    • https://cdn.sqhk.co/kujufemom/DhbFjcl/583760578.pdfIn PDF document text
    • https://banafazag.weebly.com/uploads/1/3/4/3/134325205/9ce87b9a3ac3cd6.pdfIn PDF document text
    • https://cdn.sqhk.co/mafulavet/aYjSihf/strategy_consulting_internship_interview_questions.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4411252/normal_5fdd310bf0575.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378853/normal_6056d8afb923d.pdfIn PDF document text
    • https://cdn.sqhk.co/milibotobov/G1h4Shf/hill_climb_racing_glitch_2019.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4418399/normal_601b7f18d4698.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409819/normal_603cecd68dd39.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4483070/normal_5ffa8c3abf11f.pdfIn PDF document text
    • https://xamubamujizej.weebly.com/uploads/1/3/1/4/131483378/fedilojuvowaxedu.pdfIn PDF document text
    • https://cdn.sqhk.co/nilimijano/h1icRAD/real_gangster_crime_simulator_2019_mod_apk.pdfIn PDF document text
    • https://selilanabos.weebly.com/uploads/1/3/4/8/134875664/2951566.pdfIn PDF document text
    • https://cdn.sqhk.co/wiwokosokif/b0lDgc4/69635232783.pdfIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa347d45-986e-489d-964b-e06ad76ab0b0/53848288123.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/690a7104-950a-40ab-a285-fd70ce926bf9/how_to_solve_enthalpy_change_problems.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f9f87d44-0fd5-407d-ab91-e9cd3524f8ca/beats_pro_solo_review.pdfIn PDF document text
    • https://6674166f-eb58-46b1-9d38-a528bc95e02c.filesusr.com/ugd/e38d8e_1d0e6265369a44738a52fd88ae3c0cf6.pdf?index=trueIn PDF document text
    • https://da5bec28-7969-4117-8ffb-5069fce5e80c.filesusr.com/ugd/31593d_425bc7929f7649309f80b8dd2af70583.pdf?index=trueIn PDF document text
    • https://5de9ed01-d610-4143-94db-6f998645a8ce.filesusr.com/ugd/1d8bf6_0eaa8d16232746949ed44bde9285a673.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/f627d61e-dea0-4c26-92c3-53d53c4aace2/35001770030.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/33bf5f55-390b-4cf3-841a-f2edb6999a94/38867577900.pdfIn PDF document text
    • https://27f1a270-5048-4778-87f0-574dfe85248a.filesusr.com/ugd/b7306e_b0b853cacc7e44378cd0dbfee22fdf86.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://www.gnu.org/licenses/lgpl.htmlRegularDanhHongIn PDF document text
    • http://www.geocities.com/dnhhngIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0001e08e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1E08E 4152 bytes
SHA-256: 3e00007926d71a15434e4067e84115ccac73cc82275ae807f27a22dd16a487f4
stream_015_off0002ad0d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2AD0D 26188 bytes
SHA-256: 0f00e0f2cb623b48d5030d045f5f8a0f3054f83c3448b045a894bfc1d1d5df27
font_00_sfnt_off0001a19d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A19D 8968 bytes
SHA-256: 3e679317895732371a3faa046e3928e484725a1d920cdf47c262ea5de7ce8b20
font_01_sfnt_off0001b8f4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B8F4 6188 bytes
SHA-256: 8b29cebf5aa19688230e00b701c1086dc993e705f4d80d0f08ab64743a4e80ae
font_02_sfnt_off0001ce59.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1CE59 5336 bytes
SHA-256: 9ff1205c2d1a6b9e14c0b94b88633540470ab294a73550e9abfa3195daf37bc2
font_04_sfnt_off0001efa6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1EFA6 5220 bytes
SHA-256: 6899069e074361ff9ae708c8938aab8e9cfc0086f4cad1e18bedb901cd4f4ac6
font_05_sfnt_off000200cd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x200CD 6704 bytes
SHA-256: be65d23da9085eebde270cf50bae662999da9bad1f88d04c35f347e763800b1d
font_06_sfnt_off0002141d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2141D 3856 bytes
SHA-256: 9e1d20c9c767db21051d39ab341d57e975972d26d8acc6cd24c097221bb46082
font_07_sfnt_off000222ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x222BA 3576 bytes
SHA-256: fb25a5190e71ae4b4d0233f2ecc5e3ace0835e2457237484fcac97ca6d740ff8
font_08_sfnt_off000230c8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x230C8 7320 bytes
SHA-256: bcd6ee395b23653991fcfd2ad4e93d0518038c5713fea0d29b144a22cb193c05
font_09_sfnt_off000247ce.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x247CE 3668 bytes
SHA-256: cadb482540265dfbf985d6c8a20a1b6cb5cf296f080c60da894f9023e01a307e
font_10_sfnt_off000255f4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x255F4 7376 bytes
SHA-256: 6c8d76523fc731797468ff22f50887c772797c1cccd158ee346419ca21b0e14e
font_11_sfnt_off000269ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x269EC 25416 bytes
SHA-256: 51b0d56fe4ce000ea197386bb57ab4d372f455e084a47e2c090bcac90703e77e
font_13_sfnt_off0002e15b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2E15B 4420 bytes
SHA-256: 24f9e86b3c3d88b1c8f1c37a60b109569290bf3b0c9903c4473384ee93791f65