Malicious PDF — malware analysis report

Static analysis result for SHA-256 9341396f4999e06b…

MALICIOUS

PDF

80.9 KB Created: 2021-03-09 06:02:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: fdf47e532280d687e26b6bfe91cfc473 SHA-1: d853758fe2435f73c1e850ea7a84c04e86f87755 SHA-256: 9341396f4999e06bb709290b55b1f977b19f913d2aac021eb1437e45bb30319d
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, a common tactic for SEO manipulation or phishing. The primary URL, https://crophysi.ru/strik?utm_term=porque+fue+censurado+el+libro+las+flores+del+mal, suggests a lure related to a censored book. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution via the link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=porque+fue+censurado+el+libro+las+flores+del+mal PDF link annotation
    • http://renavakurexiroz.22web.org/kopupegusatowelurotivej.pdfIn PDF document text
    • http://vutunema.mypressonline.com/sunbeam_sb1818_compact_sewing_machine_and_sewing_kit.pdfIn PDF document text
    • http://zokazurimila.mygamesonline.org/liwopejar.pdfIn PDF document text
    • http://defokozixeral.sportsontheweb.net/faweregujubitoma.pdfIn PDF document text
    • http://gexomafe.mypressonline.com/tevilafojafujazikosezex.pdfIn PDF document text
    • http://gofimowekes.66ghz.com/greeting_card_template_illustrator.pdfIn PDF document text
    • http://baxagaxisatipa.22web.org/baptism_invitations_girl_template.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/86902a5d-44e1-4905-aadd-049968c10a19/wexivomifuporot.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8dc0968b-cf24-4f31-9d66-2117982e9837/which_is_the_best_robot_vacuum_cleaner_to_buy.pdfIn PDF document text
    • http://jurelofi.epizy.com/71864775922.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f87e88c0-04ac-47b4-950d-52cc94b19216/61450402751.pdfIn PDF document text
    • https://1dab3517-3db0-43ff-9fd6-b65b51f65b60.filesusr.com/ugd/565485_358c3e75077a4ae7ae3b82136fe94066.pdf?index=trueIn PDF document text
    • https://8c17aa34-c454-4d6c-a218-8929c845e329.filesusr.com/ugd/808cd0_e86b80dbd29b4454b39a0355b2a8ff96.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/655b5a11-2c92-4135-aa16-737b9f57ab44/rumipowasezokexapaxur.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/447b579c-d5f1-476f-a334-52e202843514/zuvanaxiniribefaluwi.pdfIn PDF document text
    • http://kofakaduwa.rf.gd/who_was_born_on_july_22_1998.pdfIn PDF document text
    • http://fuwasal.rf.gd/birthday_wishes_images_for_girlfriend_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/afbdf6ee-6534-4eb5-a10f-a400253f5b60/kinavarumetigiras.pdfIn PDF document text
    • https://24218389-b518-4ca3-8548-65eaf758daa4.filesusr.com/ugd/c836c3_f2ac7fb02a784d3c81718e9117bf2d4a.pdf?index=trueIn PDF document text
    • http://vevaxadebelag.epizy.com/how_to_fix_vizio_black_screen.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e1dfbbf5-3300-4c6c-9385-2df2ef3ebc35/74118412167.pdfIn PDF document text
    • http://wijawogenaga.epizy.com/cuantos_huesos_tiene_el_cuerpo_humano_de_un_nio.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7f9168fe-b2cc-45d0-a635-2d2a62b8f8ac/29468920902.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0fdcba80-e43c-4792-ad5b-0b6d5ee22ee6/will_it_snow_this_year_in_portland_oregon.pdfIn PDF document text
    • http://kajilurugo.rf.gd/google_sheets_if_empty.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb90.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB90 5436 bytes
SHA-256: 6609d763a7daec3eb5e7db1613872fcdb466b286ea099663f29ec7a67b7752b0
font_01_sfnt_off00010df0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DF0 11824 bytes
SHA-256: 7dde7cade1ada87b647bdc3376bf65823087f700d7254917e36a3c4b826bfb31