Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bd75e685bef8d1e…

MALICIOUS

PDF

79.1 KB Created: 2021-04-13 02:45:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: 4305c60a8bfa724164a226066719ef80 SHA-1: 7990d72b62d4d51f82b92edf1f042a007c8f0290 SHA-256: 9bd75e685bef8d1e2a42e511259bc9a7558c896c1e6c44aacc51a2cf741caf1b
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document functions as a link farm, directing users to multiple external URLs under the guise of providing information. The primary URL, https://baarspo.ru/strik?utm_term=what+does+red+light+on+verizon+router+mean, suggests a phishing or scam attempt by luring users with a common technical query. The presence of numerous external links, many hosted on disposable domains, indicates a malicious intent to drive traffic to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=what+does+red+light+on+verizon+router+mean PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4454694/normal_5fd10d748ef22.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4449603/normal_601d98f7d3a1f.pdfIn PDF document text
    • http://tasiperop.medianewsonline.com/93381657083.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380395/normal_602dda3e0f502.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380379/normal_5fdc78e070923.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448551/normal_602bde0470aba.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d1ae733c-480d-44eb-b791-ce3c59785d27/jojev.pdfIn PDF document text
    • https://5663e088-3595-439c-971a-5873693bee35.filesusr.com/ugd/e98895_702132e7b2e7491088813b53bede9dac.pdf?index=trueIn PDF document text
    • http://jafixomedimun.onlinewebshop.net/48609468404.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b90b4a9d-a666-4b5e-aa44-523a5d6d399f/garmin_gps_55_review.pdfIn PDF document text
    • https://5be7aec3-7d66-433b-ae1d-2bfb807ddf2a.filesusr.com/ugd/24deb6_9d9215767c7c42739b71d80aacb14c4a.pdf?index=trueIn PDF document text
    • https://dec4a425-646e-450a-80ca-a73a75d058ad.filesusr.com/ugd/ba3095_b6f490ac675c4b968307331235585964.pdf?index=trueIn PDF document text
    • https://5e024257-ca51-40df-b6b5-a3104c7b7124.filesusr.com/ugd/97368a_f08b0422d1984c81b06a5d878c897acd.pdf?index=trueIn PDF document text
    • https://be08d7d4-326a-4801-be9d-4496af17a43b.filesusr.com/ugd/d31907_492a9184a9b34350bf822a767f25e4fa.pdf?index=trueIn PDF document text
    • http://rususekobijo.myartsonline.com/27717834437.pdfIn PDF document text
    • https://b09d99c6-da67-4e55-b5b3-baceba093817.filesusr.com/ugd/a69c6c_84219907de754f239baa43632ac2e5ee.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f343.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF343 5364 bytes
SHA-256: fb6c2b792f51cbdc4f070bb2114a604195e93820e602dd670b4830a87879dbfd
font_01_sfnt_off0001056d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1056D 12708 bytes
SHA-256: 82ece1a92d252f784691f0a084890c66a94041578db1c1b0dcba9a443cf01117