Malicious PDF — malware analysis report

Static analysis result for SHA-256 9580e8151f716ace…

MALICIOUS

PDF

92.3 KB Created: 2021-03-10 01:30:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: a1885dae881379c9d6f0ce9987208b4f SHA-1: 51152c649c92dcacd1dfcb945980c220349334f9 SHA-256: 9580e8151f716acea948b3ddee5345b47a218f5cadf14c57b81675eeed213a93
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/aws?utm_term=the+book+thief+complete+pdf+download PDF link annotation
    • https://cdn.sqhk.co/dasadogiso/zbjhEim/real_followers_for_instagram_apk.pdfIn PDF document text
    • http://servicesforsupport.com/47348207331yr8t0.pdfIn PDF document text
    • https://cdn.sqhk.co/dixufeja/fgihfjd/amazon_advertising_success_stories.pdfIn PDF document text
    • https://cdn.sqhk.co/vasibejovej/midXhcP/legend_of_the_sword_in_the_stone_summary.pdfIn PDF document text
    • https://cdn.sqhk.co/woxekivepi/jgeiagj/voice_coach_winners.pdfIn PDF document text
    • http://flathead.us/polyatomic_ions_worksheet_keyzpcqb.pdfIn PDF document text
    • https://cdn.sqhk.co/tenalewi/IaTieii/77032718273.pdfIn PDF document text
    • https://cdn.sqhk.co/fovipobex/ja7ChgU/uefa_champions_league_standings_rules.pdfIn PDF document text
    • https://cdn.sqhk.co/zozimevoket/jfEjfZa/photo_editor_freeware_mac.pdfIn PDF document text
    • http://naturaitalia.space/xem_bi_c_khanh_thi_hw5soh.pdfIn PDF document text
    • http://hookup153.online/35390406445qeyti.pdfIn PDF document text
    • https://cdn.sqhk.co/liregagibago/5jhfWgd/nba_2k20_demo_release_date_uk.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad8792a1-6674-43a9-9d2e-10bf9326a7f9/cuisinart_dcc_3000_12-cup_on-demand.pdfIn PDF document text
    • https://d62ff7d9-aefc-4ab8-8cdf-af38868aea16.filesusr.com/ugd/54b9a1_f7235285e22146868a3d3533514376cc.pdf?index=trueIn PDF document text
    • https://064d663d-f6b2-44cf-a6ad-083da5f315e5.filesusr.com/ugd/77eba6_d86baeaebfa04d05b289cfedf0e4fc8e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/32872a11-33d5-429f-8a08-e282eb4c497d/bissell_proheat_turbo_2x_troubleshooting_no_suction.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/40334ee0-34f7-4e92-aff0-34b4b679f879/66373776103.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c12d711a-b42d-46fe-96d2-aedd796158ce/what_is_the_best_routine_to_build_muscle.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3aec999f-5002-4d5c-b71a-c720a8f94f64/is_there_a_th_sound_in_russian.pdfIn PDF document text
    • https://8533cbf3-c0d6-400c-bdf8-8ca38cf0242b.filesusr.com/ugd/135178_6e7129426c2048808217948f215666f8.pdf?index=trueIn PDF document text
    • https://c216880a-03a2-4774-ab7e-121c93799e8f.filesusr.com/ugd/b5aed9_28d8d6783ce64b5e8188e746ea33c110.pdf?index=trueIn PDF document text
    • https://850a36a1-966c-46c3-86ed-e15bcb5778a7.filesusr.com/ugd/ede58b_ab5d917fc5ec4eb9a3cbc150918a2885.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012519.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12519 5364 bytes
SHA-256: 306fa88a36c3d60c157be7ea324df348eaa3013938dfdaeae7dd569b517fa077
font_01_sfnt_off00013745.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13745 13932 bytes
SHA-256: 661d54bb865f696813e5a05f7567a4bb99dae92e523243f3534d926fecedeebe