Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f755a76ab68a5a4…

MALICIOUS

PDF

147.7 KB Created: 2021-04-03 11:04:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10
MD5: dab4b98574cfab474780f36ea47beb57 SHA-1: eab63fb28a1f79a4a6d22d86fcaa8eeebfea6f69 SHA-256: 9f755a76ab68a5a4a49331ba96949974311f4022183c8428f4d4351a4f53a98c
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous external URLs, with at least one identified as part of a link farm on disposable hosting, suggesting a phishing or scam lure. The presence of embedded URLs and the overall structure point towards an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=monster+strike+apk+jp PDF link annotation
    • http://jedilinosur.mywebcommunity.org/best_basketball_plays_against_a_2-3_zone.pdfIn PDF document text
    • https://cdn.sqhk.co/motanunika/f1hvu9Y/62345156275.pdfIn PDF document text
    • http://bobakolanuvam.22web.org/tedikuvuza.pdfIn PDF document text
    • https://cdn.sqhk.co/tabuguran/ih8rjfD/videos_likee_id.pdfIn PDF document text
    • https://cdn.sqhk.co/guviterolovu/Ejhoggj/best_sheets_to_buy_at_walmart.pdfIn PDF document text
    • http://pitikudefojeken.getenjoyment.net/black_hawk_down_book_download.pdfIn PDF document text
    • https://cdn.sqhk.co/gadewekunel/OggJZhi/18136375226.pdfIn PDF document text
    • https://cdn.sqhk.co/gogerazina/hfp8bgg/zasefefajerewovasaz.pdfIn PDF document text
    • http://semasinizitowo.medianewsonline.com/jaquar_sanitary_fittings_catalogue.pdfIn PDF document text
    • http://joxezorov.mywebcommunity.org/pasawebilasanadebe.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cb8582fb-ab29-4f13-bfd4-623ca244ab52.filesusr.com/ugd/d61b30_1b1d4502353e4b59921c7d4266bbc52a.pdf?index=trueIn PDF document text
    • http://fonimegalidoxu.epizy.com/adding_and_subtracting_mixed_numbers_word_problems_worksheet_with_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a1c3bbb6-83cd-475e-8ad0-abaab62a60a5/metrica_del_poema_a_julia_de_burgos.pdfIn PDF document text
    • https://564fd4a8-0e6d-4f97-813a-a14a70c45316.filesusr.com/ugd/f90d28_89563615ce2646789b040935f6b31876.pdf?index=trueIn PDF document text
    • https://153f2bed-3501-4ec5-9468-ed1987511f6d.filesusr.com/ugd/f67134_0203d59b4ae04eaa8e52555ef6e28108.pdf?index=trueIn PDF document text
    • https://c2dbac7f-2075-4dc1-ad03-af0d0352bff2.filesusr.com/ugd/278743_fdd1a248e97b454184ea9e16fcc4a365.pdf?index=trueIn PDF document text
    • https://c36efdde-2309-4ce2-a10d-b6df2ce12cd8.filesusr.com/ugd/e98059_e8fc507103004958806f893b242aa3ca.pdf?index=trueIn PDF document text
    • https://ac65beef-1c88-4b01-a948-251493ed82f2.filesusr.com/ugd/09857b_a0c3c750f45a4f74826f708337f006a7.pdf?index=trueIn PDF document text
    • https://6eed613e-cbae-405e-b458-9655ef9033f8.filesusr.com/ugd/e4f6f0_6d47b046bd174317a3f4d67a542faa4d.pdf?index=trueIn PDF document text
    • http://mitekavutoz.rf.gd/pegiv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/259a96df-4599-4caf-851c-78d2ea38aaca/learn_how_to_read_music_notes.pdfIn PDF document text
    • https://2e8e3215-33bf-4fe1-bc67-b38dac560527.filesusr.com/ugd/269bb8_7693fdf575df4591ae5ab99184013e94.pdf?index=trueIn PDF document text
    • http://nolewepanuvaxup.epizy.com/is_evening_primrose_oil_good_for_trying_to_conceive.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000fea4.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFEA4 80880 bytes
SHA-256: 02b8b99aeff90eed1c87d40d3b2d095c5cc798672bc6835993f139777e36600c
font_01_sfnt_off0001ef92.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1EF92 4928 bytes
SHA-256: 0014d21fcf3aba04bf87f13e17ae265f8778a40574f37665c3118a767f815d53
font_02_sfnt_off00020075.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x20075 12784 bytes
SHA-256: fc127710d469184c1abe320c929377f5396f6877725e091352715820c35d4cfe
font_03_sfnt_off0002298c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2298C 16628 bytes
SHA-256: 020ee42428aa70040fe95a6620c7c6c5d5eaa08f188bef8d9519159df604ae44