Malicious PDF — malware analysis report

Static analysis result for SHA-256 9198d357e5e0cb3d…

MALICIOUS

PDF

75.0 KB Created: 2021-04-07 22:12:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: c7fd9e5604feac19f4b84a15280f7df9 SHA-1: 9f679eeb82b52b7dd46b53464ee0b1b383504369 SHA-256: 9198d357e5e0cb3d57da3a47d85ecf1b0af0e03b57f363ffc51208f24dd1584d
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, many hosted on disposable domains, suggesting a link farm or phishing campaign. The heuristic PDF_SEO_LINK_FARM and PDF_SEO_DISPOSABLE_LINK_FARM indicate a large number of links pointing to external PDFs, with one URL specifically mentioning 'vlc player gratis', likely a lure. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/123?utm_term=vlc+player+gratis PDF link annotation
    • https://ligefunodimab.weebly.com/uploads/1/3/1/3/131398292/kigunulidexaxabipos.pdfIn PDF document text
    • https://cdn.sqhk.co/rakujolo/hBjjUgg/subnautica_reaper_leviathan_size.pdfIn PDF document text
    • https://cdn.sqhk.co/dibirolinu/D5iiEno/slam_dunk_leeds_2019_line_up.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4502436/normal_5fe58a0a89b2b.pdfIn PDF document text
    • https://bagugesi.weebly.com/uploads/1/3/0/7/130775983/375ced2355483.pdfIn PDF document text
    • https://cdn.sqhk.co/fojufifef/zihxhd6/ninja_turtles_2014.pdfIn PDF document text
    • https://vegirizixe.weebly.com/uploads/1/3/4/7/134716682/vupikemoneg.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412174/normal_5fe829a0349d4.pdfIn PDF document text
    • https://pudabesipewoz.weebly.com/uploads/1/3/0/9/130969441/bd41f57c7d.pdfIn PDF document text
    • https://cdn.sqhk.co/viwitukaz/gdhifif/comethazine_bawskee_3._5_album_zip.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4466662/normal_5fc9daf248897.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4472753/normal_5feb52481b0b8.pdfIn PDF document text
    • https://cdn.sqhk.co/surikuzezun/KjaWE06/88535063944.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://835a0401-7144-467e-aacc-710587930ffc.filesusr.com/ugd/432cba_1f34e7995a4c496eb72cf315a14086ab.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/9dccbb13-1f62-49ed-9b30-d2259e87e495/34979952621.pdfIn PDF document text
    • https://a5a8f6e1-24ae-425c-880d-6f4079e3c376.filesusr.com/ugd/035627_487e7cb63a8e45b6b6bb4497c7f603be.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/a596d9f5-848c-407b-bcb1-0b4f8b3f8d6f/windows_10_usb_stick_missing_operating_system.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae6abf42-8147-43f1-9b34-2aef1ab301e1/simmons_oneview_ufc.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d8299392-d6a6-4c2c-89ed-5437937932ef/does_costco_sell_massage_chairs.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e823.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE823 5168 bytes
SHA-256: 0fed12d2447d42082d9df725145a4754c582a4f7d09e7ec0086ada77f4b589c9
font_01_sfnt_off0000f9d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF9D6 11840 bytes
SHA-256: 864bcfe5a58e57d6fceda12165346a95f5e7dc3aaa4df724ad690e63d74e42d4