Malicious PDF — malware analysis report

Static analysis result for SHA-256 9251bd54ae01fdf1…

MALICIOUS

PDF

105.1 KB Created: 2021-05-22 12:18:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: 730ff979c4d2ec9bec9363f972031c04 SHA-1: 915994c1e57760776b5fd96a7d29d873111e1850 SHA-256: 9251bd54ae01fdf1df621f5db15cf7b7317f48a0bf618460ccea494365ba3a0c
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for link farms or phishing campaigns. The 'SE_URGENCY_LURE' heuristic suggests the document attempts to create a false sense of urgency to prompt user interaction. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution via the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9822

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=does+arc+teeth+whitening+pen+work PDF link annotation
    • https://zizizibewanexu.weebly.com/uploads/1/3/0/7/130776642/nalifuxunivixaj.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4467287/normal_5fd640899ed3d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415944/normal_601e57f1dbeaf.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4465007/normal_5fe504e4db3dd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4464702/normal_606d3217a136b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4467017/normal_5fdd3372aa184.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4389604/normal_60200bef7f634.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4444370/normal_6069836979ceb.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4401703/normal_5ff26bde5dfa1.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4380680/normal_5fe43c96893b2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4391920/normal_601330f7cbd2b.pdfIn PDF document text
    • https://lazoseroli.weebly.com/uploads/1/3/5/3/135316949/kugukemimimevu.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4457561/normal_5ff16f9471c11.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4495838/normal_6007f0243977a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369655/normal_602ac8392b61e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4452386/normal_6056bb58e3460.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368223/normal_602cff9f109a4.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4445733/normal_5fc9163e9ca5b.pdfIn PDF document text
    • https://dokarugosili.weebly.com/uploads/1/3/4/3/134362608/4799e5060f18c49.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4404757/normal_605a2bfa9a712.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481055/normal_6021f7281cc56.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4469358/normal_60360af9520c7.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4497346/normal_600238de29aef.pdfIn PDF document text
    • https://xufipenisugiw.weebly.com/uploads/1/3/0/8/130873979/2962511.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4387565/normal_5fff3941e86ef.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4483856/normal_60609ed788d70.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000123c3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x123C3 2988 bytes
SHA-256: f244152f1735ecea2e0015db16f4eec7c19935d3b03785c1fb693a5a6caaf07b
font_01_sfnt_off00012e73.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12E73 5104 bytes
SHA-256: 1fdd366b842d1acefceac388b541bfbb32c1ba59721cc7cd060a389e947af24b
font_02_sfnt_off00013fd5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13FD5 2744 bytes
SHA-256: dae0f12506c17deaa818396cb86411da2f7a72f10e575d6fda98e021880a3e82
font_03_sfnt_off00014b80.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14B80 11468 bytes
SHA-256: 8ae4142ef09d9c53fc91535f8027e4b87f486b834854dd097f314c2938b26232
font_04_sfnt_off000172be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x172BE 16036 bytes
SHA-256: 9559dd1bd908241551916101fda3d445a26f5c4b506a1423f23393456f9d5940
font_05_sfnt_off00018727.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18727 4324 bytes
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333