Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c9387b1b3d9d9c9…

MALICIOUS

PDF

81.8 KB Created: 2021-03-14 14:15:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 3afa89d7e28b11c409d092a8a510261d SHA-1: 645dde18ebddc70aa95688c71b0c4925213571ee SHA-256: 9c9387b1b3d9d9c9567554f5864ba9bb2959fc5adda2d580bd67176b57c7a730
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for link farms and phishing. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. The primary malicious URL, https://gimoguvi.ru/award?keyword=medical+termination+of+pregnancy+pdf, is likely used to redirect users to a fraudulent site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/award?keyword=medical+termination+of+pregnancy+pdf PDF link annotation
    • http://ladyso.ru/all_of_me_piano_guys_sheet_musictw0z8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369802/normal_6018d7fe8fade.pdfIn PDF document text
    • http://bilkan.fun/creo_parametric_4._0_tutorial_deutschm32v3.pdfIn PDF document text
    • http://reflectionss.space/buckeye_community_health_plan_providcw0qo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367940/normal_5fd2514627fd7.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4446491/normal_6004d9ba2b0e3.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://ebd73b9a-b255-48a5-b781-2bd84b483b4c.filesusr.com/ugd/956c05_4b2df0305be44f8490854c63b97a4e57.pdf?index=trueIn PDF document text
    • https://c84ffda1-e72a-45fa-8ce8-a771970cf326.filesusr.com/ugd/9fd656_4a26cc885c1f4047b07ae7ac7d754a00.pdf?index=trueIn PDF document text
    • https://44bb6ee8-a0fe-4f72-890f-0f0a2fec05cf.filesusr.com/ugd/b65acf_2d6f137128aa4a159c5cf321a380c4ee.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/dusubonifu/saddleback_english_grammar_book_1.pdfIn PDF document text
    • https://s3.amazonaws.com/piwupevivotixi/64009011390.pdfIn PDF document text
    • https://22449060-8e30-4723-8828-967625cce342.filesusr.com/ugd/eddc50_7e4127db36b846b5889f8b5ba7dae763.pdf?index=trueIn PDF document text
    • https://920f4c01-5fd6-4c40-8b27-b99972fecb60.filesusr.com/ugd/d63aaf_5c6ee706178f45e887fb8e4141f5c6bf.pdf?index=trueIn PDF document text
    • https://9afb1793-bc57-4514-bb46-74e980466609.filesusr.com/ugd/11f207_bc7d67d6703540c1bc38e0175d5bebe1.pdf?index=trueIn PDF document text
    • https://1d812fcc-cfc3-4558-a870-56fc5b7f4c2e.filesusr.com/ugd/754d94_1eca295298d542f396159d75a0426765.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/nokiva/17266043997.pdfIn PDF document text
    • https://ddb1515c-011f-4d6c-9a6c-b305a2039a85.filesusr.com/ugd/477ac5_2bf875159b5544f8aee2c6d4f51bcec3.pdf?index=trueIn PDF document text
    • https://6baea7ca-81e4-4a11-8410-716433a99462.filesusr.com/ugd/764aaa_9486f8f08013431a8545f459df42659e.pdf?index=trueIn PDF document text
    • https://1c54689f-8f60-44d8-8d81-b144d6ea8ada.filesusr.com/ugd/787b0a_98796491b53f4a819e8652c3ce218b90.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/levovod/blank_html_page.pdfIn PDF document text
    • https://s3.amazonaws.com/lerezazo/farogi.pdfIn PDF document text
    • https://8eb0ff2f-1b5f-41fb-a82b-bf279dc7f43e.filesusr.com/ugd/868f76_f895eb5d6d854e9bbf327a90a172a0fa.pdf?index=trueIn PDF document text
    • https://fc06435f-e709-4c80-b59d-96fa470c1a13.filesusr.com/ugd/bdc04d_b1e711854c504d769a279a3c39cbb74d.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010276.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10276 5404 bytes
SHA-256: bb754499b44c28b10a685cfec1c1cee1417a4397079b0bb12de14861447876ea
font_01_sfnt_off000114db.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x114DB 10356 bytes
SHA-256: 1591313710efabaa9aec970da9201e3e4ce6bf6ebc04981602543fa6c626112b