Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e2c169740d59ad5…

MALICIOUS

PDF

80.3 KB Created: 2021-03-06 03:09:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 3d7dd86036d87e4ce9d4222ba54e290c SHA-1: f32b08e2a33117f53a7e4502beea67a14292d62f SHA-256: 9e2c169740d59ad5ddabc5e8b5c007141dfd3c7fc2d01497bcf1c1fb9c9bc687
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a link farm and is hosted on disposable domains, suggesting a phishing or scam attempt. The document body, though heavily obfuscated, appears to be a lure related to refrigerator issues, likely intended to trick users into clicking the malicious URL. The ML classifier strongly indicates malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/award?keyword=why+is+my+whirlpool+refrigerator+not+cooling PDF link annotation
    • https://cdn.sqhk.co/rivogigaweb/lWiihcs/vovijate.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4450154/normal_60341cbcdec58.pdfIn PDF document text
    • https://cdn.sqhk.co/fefuxumito/f0jhHih/short_speech_on_my_birthday_celebration.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4494661/normal_602c793446497.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369505/normal_6036655836e3b.pdfIn PDF document text
    • https://cdn.sqhk.co/fisejadiruw/ghidhf7/3624803521.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://ec2d952e-5494-46d8-b841-fee222248b17.filesusr.com/ugd/9713d5_d9472b08155948d085a13bd4fb2c8daf.pdf?index=trueIn PDF document text
    • https://2386e270-bd20-42c1-b3e5-1ba7eaa1d68d.filesusr.com/ugd/b4f0c6_b0e7af3c31f944acbe2ecf120c36aa9e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/2b8d6121-ce6f-4d0a-87f1-266c642118d5/92378055330.pdfIn PDF document text
    • https://1eb42bdc-3da6-4b32-b75f-4382f1721f8e.filesusr.com/ugd/35474d_3d55c46e2d4c44c481fb92bdd2f918d1.pdf?index=trueIn PDF document text
    • https://18cb0a1d-3822-48a5-9ca0-56465202bc9b.filesusr.com/ugd/96564c_379d7d52ae7f41d7b31c6cd011f85a71.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/bd1cbc1c-0735-4e9b-ad2d-2f77879b20e0/mejores_frases_de_el_monje_que_vendio_su_ferrari.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/40a69a89-785e-4a67-9b11-75f8b3d1675b/le_petit_prince_montblanc_notebook.pdfIn PDF document text
    • https://c1bbde11-5cda-4f7c-8b74-b2fe90b484f5.filesusr.com/ugd/1c8c6c_88f2318d72b945c89d6d343454012b3a.pdf?index=trueIn PDF document text
    • https://5c71d6b4-13b5-43a2-97a4-9a0eba4d0f4d.filesusr.com/ugd/0f1814_c55ee3050f964b49b9edae3037b9182d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ba5b5e3-bcfd-420f-b2a3-3db95cf4956d/vox_ac30_handwired_head_and_cab.pdfIn PDF document text
    • https://a79fbd7c-12a6-44fe-9d3c-43dc2b0795a8.filesusr.com/ugd/f95141_8f03d2ba9d7e41279ff7bbb43139e012.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/b323dd67-780a-4e6b-9268-866656cc4c18/naxugiwinonikalivaz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e39c9bba-0ffe-445d-b8c9-242945e76768/attack_on_titan_season_4_full_story.pdfIn PDF document text
    • https://aefb6378-f3ca-470a-b9d2-22936542d087.filesusr.com/ugd/fe129c_cd10a0496e4a4cc8a5c42ebdf1ce5ccf.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/58d32496-b9fa-4de8-90d3-e0edb53fced6/58107268934.pdfIn PDF document text
    • https://d525ee04-2a40-494f-8ba9-fee52f7b18ee.filesusr.com/ugd/8b8e24_65da60f8660d4e8bbd7852dbaa1ecde0.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc98.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC98 5636 bytes
SHA-256: 6f1a77a941f9f04a6fe1c6d35260faf975ed0e0b24158f2ed071099a60cd0b37
font_01_sfnt_off00010fbe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10FBE 10520 bytes
SHA-256: 74e6368f60cc936af1c353aa8a847fae0ee9be6cf331bc20f0ce77bb0adc21d0