Malicious PDF — malware analysis report

Static analysis result for SHA-256 94c56e78d1e2a65a…

MALICIOUS

PDF

92.2 KB Created: 2021-06-09 11:50:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 9b24873eec9c1a7794a7e57b63aa865b SHA-1: 33001f709e3ef28a885e004708e50140481c7c17 SHA-256: 94c56e78d1e2a65a7e490f07cb11275843c388e52da0c31407b57290acd98e38
226 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF document is identified as malicious by multiple heuristics and a machine learning classifier, including ClamAV's Pdf.Phishing.Trojan detection. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or phishing operation. The document also contains instructions to disable security software, a high-risk indicator. The embedded URLs and link farm structure indicate an attempt to redirect users to malicious content, likely for credential harvesting or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/pbw?utm_term=download+windows+7+professional+32+bit+bootable+usb PDF link annotation
    • https://jewumuseporefi.weebly.com/uploads/1/3/4/5/134599703/4111737.pdfIn PDF document text
    • https://webavetoromezo.weebly.com/uploads/1/3/5/3/135346546/3861691.pdfIn PDF document text
    • https://static.s123-cdn-static-d.com/uploads/4488339/normal_60afe97253cfe.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4490547/normal_5fce7b8f172b1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4469359/normal_603e4122e60a0.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4372983/normal_5ffb240393ee0.pdfIn PDF document text
    • https://jikanozirupeson.weebly.com/uploads/1/3/4/6/134656521/5588160.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476148/normal_60557a6311955.pdfIn PDF document text
    • https://varukixenusenat.weebly.com/uploads/1/3/4/7/134700479/nadinegigimuxuvigasu.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413118/normal_601463d3735cf.pdfIn PDF document text
    • https://watepiwod.weebly.com/uploads/1/3/2/7/132710700/megogajimerani-wofosujesebu.pdfIn PDF document text
    • https://zujujogonawanuk.weebly.com/uploads/1/3/4/8/134879196/lilarolozale.pdfIn PDF document text
    • https://tifixexeruwa.weebly.com/uploads/1/3/2/6/132682204/daf63ce9745484f.pdfIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/eeec3687-a9aa-4703-b51b-085fa28e4c41/walmart_black_friday_hours_ma.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ee6f1d72-b34d-4c5a-bc57-d08573a10539/filezixamavediniw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/71fb8064-37ce-424c-b427-531b922fa7c1/25522450853.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ebb09dc-622c-4224-8e84-e52c97c61c1f/44777690157.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8143fc8f-a54c-4ae2-9651-16a0fd662944/is_john_wick_parabellum_on_netflix.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/93281075-2e07-426c-b13f-250dc4aba60d/39335696477.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00011157.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11157 14724 bytes
SHA-256: ec288722df3f243a13f9e8690dff6ba498da2d1d95aebae21efdc801459d31e7
font_00_sfnt_off0000fe00.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE00 5644 bytes
SHA-256: 60183339d4e0ce99c2cade6be1bd45b9aae5db8b110b2f0adf45206e8a48679f
font_02_sfnt_off000139c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x139C7 11404 bytes
SHA-256: 61ff74ed0d1f5c34e0a9f8b7d879d00d5e234ef1483a62f0adab2f04c006ef38