Malicious PDF — malware analysis report

Static analysis result for SHA-256 9270ee7746485ea0…

MALICIOUS

PDF

85.0 KB Created: 2021-03-11 14:48:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13
MD5: ce533515b8271c37bb9f39645a527b50 SHA-1: 0504835ffd4a791bff3d7b9e3b7700a04567be84 SHA-256: 9270ee7746485ea0f0e48436b13feeb63307feeda54858e0534f0c352ac35a87
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to distribute malware or lead to phishing sites. The presence of a download button lure further supports a malicious intent to trick the user into downloading a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/aws?utm_term=california+association+of+realtors+rental+agreement+addendum PDF link annotation
    • http://sitizinudex.getenjoyment.net/55172540117.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4402745/normal_5fe6e3bba55b1.pdfIn PDF document text
    • https://cdn.sqhk.co/jisanipu/hibqjeY/bopemobiwiwosepu.pdfIn PDF document text
    • https://cdn.sqhk.co/liripudeb/ihifge4/.pdfIn PDF document text
    • https://tolibalib.weebly.com/uploads/1/3/4/7/134714968/deluvel.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4447465/normal_5fe0d02f40410.pdfIn PDF document text
    • http://zomolejefej.mywebcommunity.org/83162467853.pdfIn PDF document text
    • https://cdn.sqhk.co/vafegijateno/cTOjit6/ecru_white_color_hex_code.pdfIn PDF document text
    • http://tiwilofojifig.sportsontheweb.net/35531335927.pdfIn PDF document text
    • https://nukimaxirob.weebly.com/uploads/1/3/0/7/130776041/webux_wegisenavu_kaxem.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4406806/normal_5fd6232cc0798.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4383687/normal_5fcf58a02971b.pdfIn PDF document text
    • http://fezufizibum.mypressonline.com/admiral_heavy_duty_super_capacity_washer_manual.pdfIn PDF document text
    • http://nopuvobetag.mygamesonline.org/how_to_remove_bosch_stacking_kit.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369776/normal_60195832ecf64.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://6ba8113a-99dc-4618-97bf-d7180f10ff72.filesusr.com/ugd/b6edda_9b747bac5da546b1abb394947426a50f.pdf?index=trueIn PDF document text
    • https://6e37e838-c278-4d46-baa9-25b8497af200.filesusr.com/ugd/fbcb80_31c078ac590948d8bef25397265e56fa.pdf?index=trueIn PDF document text
    • https://7722bba5-72ad-4d15-a72d-9ce9fbdcf1b5.filesusr.com/ugd/772ad5_2d943a9b7da74d4cbb0f2df4f74c776b.pdf?index=trueIn PDF document text
    • https://42190e62-4dca-482d-a077-ae7b222d7779.filesusr.com/ugd/b91392_bc7b38a5f8844d99871a881d6c0aa081.pdf?index=trueIn PDF document text
    • https://2a983b51-2e13-4971-8c1f-a5bca3ab4353.filesusr.com/ugd/e1a791_7ba582ef70f042d19fe2d177d56e3c88.pdf?index=trueIn PDF document text
    • https://aa6d2f86-95e2-42cc-897e-6bbd71c3a116.filesusr.com/ugd/78daac_f5fe2feecf4242aabb1b8ac8c6f5975b.pdf?index=trueIn PDF document text
    • https://441768bb-9839-4df4-8f78-dd1233b527f6.filesusr.com/ugd/7e6080_dc0a09ab264841a5bc8de44fa951cf90.pdf?index=trueIn PDF document text
    • https://d19688e0-347f-4d9d-8cb3-d47c6e049f3d.filesusr.com/ugd/c618e9_f3542f9325b5470ebd727bfaa443de21.pdf?index=trueIn PDF document text
    • https://cb2d4818-2134-4ea5-ae57-1bc45cfc4292.filesusr.com/ugd/7e787c_d33e7935e23a4500b237e475936b6711.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f825.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF825 5248 bytes
SHA-256: b3f0b65fda824a361a92486443af0c2540d6579e25ffc26bb017093f3c889cb4
font_01_sfnt_off000109e0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x109E0 13860 bytes
SHA-256: fc134a1bb6c2ad14096b35004c458c5104329ca133abe3dc14b4d3a5840e9daf
font_02_sfnt_off00013566.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13566 4324 bytes
SHA-256: 05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176