Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f0402ea0c5a3e18…

MALICIOUS

PDF

87.4 KB Created: 2021-03-15 21:33:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0fc25d38ee83f9341bdc08dacca2c194 SHA-1: b582f885025ebe31a05b0ed0b4cc5134a5eff85a SHA-256: 9f0402ea0c5a3e181176203b0e7a8bf77d11c5963124e2852fea87ba861345fb
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which point to disposable domains and are likely part of a link farm designed to manipulate search engine results. The presence of a ClamAV detection for 'Pdf.Phishing.Trojan' and a high ML classifier score further indicate malicious intent. The document body, though heavily obfuscated, appears to be a lure related to 'burger king breakfast menu burrito' to drive traffic to these malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=burger+king+breakfast+menu+burrito
    • http://lasns.fun/jakezu3x8f1.pdf
    • http://milafikolume.iblogger.org/what_else_can_you_cook_in_a_waffle_iron.pdf
    • http://malapiwo.66ghz.com/nejapafologilojoso.pdf
    • https://kepijiloxa.weebly.com/uploads/1/3/4/1/134108658/wexigovotiva.pdf
    • https://fofirajajamide.weebly.com/uploads/1/3/4/6/134643930/sufotapalibosaja.pdf
    • http://sokolov.fun/avchd_video_converter_for_androidhebrf.pdf
    • http://farvestnn.ru/294037267417sz3i.pdf
    • http://fofesivolu.iblogger.org/tilozewuwavojepukivoz.pdf
    • http://bbcua.site/nipisuvohu5yz.pdf
    • http://afracheat2.xyz/170951793656a3hh.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://legosipado.rf.gd/37410565711.pdf
    • https://3568ea06-17fa-4787-91ae-86b9aa918cbd.filesusr.com/ugd/8ade13_3c317356247f4a489ce8fcd58ba6a47b.pdf?index=true
    • https://4253c66a-660d-4c83-b31d-f715833d547b.filesusr.com/ugd/d9e9a0_83d3fe118b63454abaea9641f2056da8.pdf?index=true
    • https://e905a76e-7bc1-418c-be29-e8eda1603e86.filesusr.com/ugd/3fb32a_2a59074e03284098b06ca520752d0f5e.pdf?index=true
    • https://1f9cfe0c-d655-4514-b58a-75380282e405.filesusr.com/ugd/d31784_7e7ea4709e6343908460471387dda6ea.pdf?index=true
    • http://vuriruzuminomu.epizy.com/58333063516.pdf
    • https://7a512b58-7189-4bc4-8343-f643fa9054c9.filesusr.com/ugd/1e52da_335d2276def0473885f4427a4e44abf0.pdf?index=true
    • https://d45380bd-a93d-4ef2-b2bd-4c7806d1f6db.filesusr.com/ugd/5d2cf3_34bcd80143d743f4be6b23f3a092f08f.pdf?index=true
    • http://xasexaxalu.epizy.com/coc_game_apk.pdf
    • https://858e1da1-ad31-4e5b-aec0-89c59c6c71f6.filesusr.com/ugd/6240f8_258e891b526d4132a76e5f41c905a3c6.pdf?index=true
    • http://sukepavudopuje.epizy.com/bedorodurap.pdf
    • https://e9b66cc5-9289-431c-8f17-6739e1cd2d88.filesusr.com/ugd/c8f33b_ec84f0f802c04a7cb6aedf514ca8106c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010a58.bin
b89ecdcc39122fb089562469f09945b0bacdca125300b8e07652835c93a825d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A58 5188 bytes
font_01_sfnt_off00011bf0.bin
0d933f78390fd9299887fa0965e1b66bf3d0c5e77ba9867ff15ee55e2332127c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11BF0 11180 bytes
font_02_sfnt_off00014208.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14208 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.