Malicious PDF — malware analysis report

Static analysis result for SHA-256 a14b2602ed32cff2…

MALICIOUS

PDF

173.7 KB Created: 2021-04-02 08:45:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 0314d7428fabb8687753a2e9f3574670 SHA-1: e9f89aef6c2f6069227060f6bdd41e12ba734d54 SHA-256: a14b2602ed32cff26d1610df0b03aa90423599c34237341bed3e978d29a90190
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, many pointing to disposable domains, and is flagged by heuristics as a link farm and potentially malicious. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or distributing further malware. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it's designed to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6470

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=what+are+the+5+pillars+of+buddhism PDF link annotation
    • http://zinefikitozozeg.sportsontheweb.net/kibotareribabokowek.pdfIn PDF document text
    • http://fsfsfd.xyz/blackroll_duoball_bungenw8go8.pdfIn PDF document text
    • http://keepqifi.site/jirinazukove1e6.pdfIn PDF document text
    • http://derifupiwa.mypressonline.com/fogovaboxiwamen.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4469852/normal_5fe54de1580da.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4494431/normal_6000c8c0f34dc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4420250/normal_5feda46f2296e.pdfIn PDF document text
    • http://bepebeku.22web.org/3324178212.pdfIn PDF document text
    • http://sq11mini.com/57700564767b8er9.pdfIn PDF document text
    • http://sifinujox.sportsontheweb.net/fe_exam_passing_score_2021.pdfIn PDF document text
    • http://trafikcezaodebayisi.com/verizon_fios_ipv6_configuration7n64m.pdfIn PDF document text
    • http://beamorem.com/photoshop_7_shortcut_keysiwcpc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4451208/normal_5fdff7615dab8.pdfIn PDF document text
    • http://yatvoyya.fun/jarenosada93w1b.pdfIn PDF document text
    • http://prosale.company/how_to_pair_onn_earpodskszw9.pdfIn PDF document text
    • http://sonasutos.mywebcommunity.org/caboolture_train_line.pdfIn PDF document text
    • http://purpless.vip/sonic_the_hedgehog_4_episode_ii_mod_apkmuy1t.pdfIn PDF document text
    • http://lisolu.org/nesubenebezofuxewejamolas2cpbu.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4452395/normal_60258a6426d2c.pdfIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://xekokopadupino.rf.gd/nifoxavorazeluxoru.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/93512255-665a-41ef-a307-2f2d53aaba4b/3dmgame.dll_gta_5_missing.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6bbac706-88f8-4dfb-907f-afca4d8c9b2a/steak_tartare_original_receita.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/20c55388-8792-4b1a-bb6d-c28ae29db8c1/the_giver_audiobook_chapter_13_and_14.pdfIn PDF document text
    • http://tutureluxusedak.epizy.com/consolidated_marksheet_iti.pdfIn PDF document text
    • http://sitafefisoju.atwebpages.com/30670270313.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ead4227-d670-4037-9d20-dd43aa133a84/how_to_add_more_yarn_when_loom_knitting.pdfIn PDF document text
    • http://nipovowegase.rf.gd/saradizugesi.pdfIn PDF document text
    • http://fakupomajokiwe.rf.gd/assumption_of_cost_volume_profit_analysis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f73e3a01-4384-46f8-bbbe-f6e72faa840c/what_does_english_comp_2_consist_of.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/lgpl.htmlRegularDanhHongIn PDF document text
    • http://www.geocities.com/dnhhngIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
    • http://scripts.sil.orgIn PDF document text

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off000232af.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x232AF 12960 bytes
SHA-256: 8198649584382c54649cf62e2b646f83e1d981d8590fb14c41dd671d41d1ffcb
font_00_sfnt_off0001e2c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E2C6 8056 bytes
SHA-256: 3ce753604d8531a36e320ef16e0e352ed2c23f6f9729312e8dae8881c9b3198c
font_01_sfnt_off0001fdc4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1FDC4 5556 bytes
SHA-256: 748a086caa8c0ead1bd9dea3ad69ca841b203f8ee2df6eab4b99a1fd000941cf
font_02_sfnt_off00021084.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x21084 6308 bytes
SHA-256: 382404ffd0eff33f2ea9bd58565f5907c88fee409cab14842e1a9b88c7e82236
font_03_sfnt_off00022316.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x22316 4400 bytes
SHA-256: 9378c0c6c09998375722d08fe323d312d7841ec6b2dfa83e58e32b8b7a02d306
font_05_sfnt_off0002578e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2578E 15692 bytes
SHA-256: 19fc7d82bcaa5b7ce4ed21802390f2363c6199cf1fe544d328149ad20ace0a91
font_06_sfnt_off0002856e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2856E 3504 bytes
SHA-256: 2be36b327340f298953f7e28ebe51dc9e49c1cbf652b3be46a14c41959761acd
font_07_sfnt_off0002931b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2931B 5856 bytes
SHA-256: bb4545417e578bcd650a05e1d61145694a3075dc7e4a3333f756960158d76bf9