Malicious PDF — malware analysis report

Static analysis result for SHA-256 a07c37d71a086f46…

MALICIOUS

PDF

75.8 KB Created: 2021-03-23 14:25:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: 7d751ef3e2ae7432009efa483387b4e7 SHA-1: 128ff5dc5345810ac13bdf21bc6867465a3cf616 SHA-256: a07c37d71a086f4609e7e8c46a681e4d7f1da0abd750b1652542ce1874db3517
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9948

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=scarlet+letter+test+with+answers PDF link annotation
    • http://baltika-trans.com/nuwokkzu2z.pdfIn PDF document text
    • http://fastgetme.online/20462422337b5nfu.pdfIn PDF document text
    • http://mon-compte-cmb.best/99091687990wxsek.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4443598/normal_5fd7a5be2ea15.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415783/normal_60146aec761d2.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4492259/normal_5ffff27fdd0dc.pdfIn PDF document text
    • http://usacreditmonitoring.info/tuesdays_with_morrie_chapter_1_summarygmhno.pdfIn PDF document text
    • http://chambreapp.xyz/bolojoginutedqldc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4455183/normal_5fdec8c63aa17.pdfIn PDF document text
    • http://flathead.us/dividing_fractions_word_problems_6th_grade_worksheetswph9f.pdfIn PDF document text
    • http://interplast.ru/26778423511pbpmw.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4381320/normal_6007cc01d1108.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367941/normal_6050e26394d08.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4459163/normal_604db1a9066b5.pdfIn PDF document text
    • http://testersairf.xyz/85207878140oit8l.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4446152/normal_5fef6a780c48b.pdfIn PDF document text
    • http://teagreen.space/new_cartoon_movies_free_mp4m8lb6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://011f98f8-b45f-4578-a2fd-466b530f7845.filesusr.com/ugd/74e905_178737a0986742ef8df853792cd310bb.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0921bae4-f3c8-4e1e-a2d0-c4cb118a3265/vitabejupipajesojuzitiv.pdfIn PDF document text
    • https://4be8a7ba-6c9a-47a4-99fc-a5961b41a404.filesusr.com/ugd/132250_d8045a2583294a8ab3e8a6e9e6cab98d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f89f95f-50bb-437d-91ef-02fb1a7292f8/is_there_a_bible_study_fellowship_app.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d9cbb1fd-9811-4340-8509-6395c867fab9/lidogalivolowoliv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9b239c10-8339-4a7a-8cd0-707e4a57b713/how_to_change_your_name_on_your_drivers_license_in_washington.pdfIn PDF document text
    • https://c183b790-cb34-49aa-848e-1a9f2b14dda3.filesusr.com/ugd/d8966e_3c8f96b182e84750bd141ad9576e7c44.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/ac147736-cf4f-4f0e-8800-67d960b6d33e/boy_scout_camp_medicine_mountain.pdfIn PDF document text
    • https://27dd58ca-3bab-4825-b0a2-cb75a9f796de.filesusr.com/ugd/aba4c5_232b5b4f53ee40b6b957bc40d93a9014.pdf?index=trueIn PDF document text
    • https://ab2ac9d4-4772-4872-829d-c19fde0a4f90.filesusr.com/ugd/b919b3_d0237ce294ba413c9949e07c901be643.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df36.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF36 4760 bytes
SHA-256: 9a9d299ad9332694614db530f7eb07f877e45db43aa48eb5730c7a5761f35c15
font_01_sfnt_off0000ef4b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF4B 10536 bytes
SHA-256: 4a67f30849972ee13287417a41168093945dfb723f2b3f99971d92f7aa0bee00
font_02_sfnt_off00011357.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11357 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378