Malicious PDF — malware analysis report

Static analysis result for SHA-256 93b251a3a326ac21…

MALICIOUS

PDF

90.3 KB Created: 2021-06-06 08:39:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: f533fc277f513f06e221c7f944bdf27a SHA-1: 24a4b61df3e85d92d565f2e40cca7e964d198305 SHA-256: 93b251a3a326ac2193cee35a849212c78df7a13eaf21346155c1252e6c0e9dcb
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/123?utm_term=big+ideas+math+book+answers+algebra+2 PDF link annotation
    • https://sikefaliwubu.weebly.com/uploads/1/3/4/3/134375420/8012367.pdfIn PDF document text
    • https://katifakemu.weebly.com/uploads/1/3/1/3/131381151/1290868.pdfIn PDF document text
    • https://derifopo.weebly.com/uploads/1/3/4/4/134490925/6e227e899b.pdfIn PDF document text
    • https://zunezazawegor.weebly.com/uploads/1/3/4/6/134665047/bofotinunozefaxofi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://sokulus.pbworks.com/f/nuwutatiwa.pdfIn PDF document text
    • http://zewalar.pbworks.com/w/file/fetch/144466272/the_escapists_prison_escape_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a826fe24-e4ba-4128-83b8-0e7ef66799c7/matar_un_ruiseor_resumen_capitulo_1.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/14b934bb-b456-48a8-b577-b4ca3d716a2a/wuwajobojudafovonezon.pdfIn PDF document text
    • http://sufizilofab.pbworks.com/f/vakowekosidejokubelali.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae0e2aae-d987-423d-8e9e-99296ca0c099/35434069803.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/59fc1230-ba5e-4a9b-a47a-8f2866c205fc/how_to_pair_clarion_cx609_bluetooth.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e330a108-1fc1-4316-b40d-3e0428681ec5/59750700962.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/44e6c667-2def-400b-889d-a84d141c4f45/harry_potter_and_half_blood_prince_game_code.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/48f79a9d-df00-47b5-b6ff-5450e08a052f/apc_back-ups_battery_backup__surge_protector_be750g_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/15e1811e-3772-4f8c-9cd6-995be2a75d8e/2002_ford_ranger_4.0_towing_capacity.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a951d9e8-0a84-4591-b596-52bccb15356d/99705418368.pdfIn PDF document text
    • http://wixumip.pbworks.com/f/cecelia_ahern_ps_i_love_you_read_online.pdfIn PDF document text
    • http://sodopateduke.pbworks.com/w/file/fetch/144425808/21382523451.pdfIn PDF document text
    • http://kemuxin.pbworks.com/f/15026120709.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ea303ca7-cb17-464c-b66a-d3de56df11bc/57660045682.pdfIn PDF document text
    • http://gamaxidad.pbworks.com/f/shinchan_movie_villain_aur_dulhan_in_hindi_download_480p.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e927adfd-bfd1-4fd9-987c-0c1c5a806579/xizokiledenepada.pdfIn PDF document text
    • http://goxeguj.pbworks.com/w/file/fetch/144641913/globe_study_cultural_dimensions_questionnaire.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7442fde5-b9a1-413b-a254-2696a3844605/nicomachean_ethics_sparknotes_book_3.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5caf93d9-d1ea-4fcd-b0f6-7173d6a18206/ncaa_division_2_schools_in_michigan.pdfIn PDF document text
    • http://xuruzinijub.pbworks.com/w/file/fetch/144413253/how_to_take_video_with_flash_on_iphone.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf8986d5-6944-427e-bb38-2acf6169599a/12006960696.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011f2e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11F2E 5716 bytes
SHA-256: 812572f059de2bbbf355163b70b32056066ef510d95a48e8020f7b93ee80b852
font_01_sfnt_off00013292.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13292 12580 bytes
SHA-256: 29853366db8fd66aa9042ceba6d482a1aec72e4e24c5f1c2470c2193dfbe3462