Malicious PDF — malware analysis report

Static analysis result for SHA-256 a179e90cb47c58ad…

MALICIOUS

PDF

80.4 KB Created: 2021-03-24 00:18:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: e3bfe4416b527c4af163439557ec4e25 SHA-1: 3b6c32046ca8aecee2d4c8f29c94820ca4aae596 SHA-256: a179e90cb47c58ad7782b55971af4f408244057103fe7529c0c020082bdca45f
344 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and links to known malicious redirector infrastructure, specifically https://yafferge.ru/123?utm_term=adele+songs+someone+like+you. This indicates an attempt to exploit vulnerabilities or trick the user into visiting a malicious site. The ClamAV detection and ML classifier further support its malicious nature, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/123?utm_term=adele+songs+someone+like+you In PDF document text
    • http://nujagexurej.medianewsonline.com/kiterezisuga.pdfIn PDF document text
    • http://goodnatural.space/bosobagariredunogowaj6a21n.pdfIn PDF document text
    • http://golomashvanna.xyz/s20_fe_vs_s9_sizewy8bd.pdfIn PDF document text
    • http://mmmuuuue.space/by_the_way_bass1xypb.pdfIn PDF document text
    • https://cdn.sqhk.co/lunapolakezo/gjxjjzk/verizon_fios_ont_inside_or_outside.pdfIn PDF document text
    • http://desokore.medianewsonline.com/tatug.pdfIn macro / runtime command snippet
    • http://creamwalls.online/marlin_60_vs_ruger_10_22_reliability910it.pdfIn macro / runtime command snippet
    • http://lamovingcompany.com/buwikejiwusekxub8.pdfIn PDF document text
    • http://appletopshop.ru/nodotuxknabc.pdfIn PDF document text
    • https://cdn.sqhk.co/fuluzezufe/rtMjjic/architects_salary_guide_2018.pdfIn PDF document text
    • http://kzrovk.xyz/one_thousand_and_one_nights_bookwr28p.pdfIn PDF document text
    • http://stroymarketmetal.ru/bahubali_2_tamil_movie_ringtonecr205.pdfIn PDF document text
    • https://cdn.sqhk.co/ruvajuvewuj/iaiaSDq/rally_championship_game_pc.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://viwaneb.rf.gd/artritis_reumatoide_guia_rapida.pdfIn PDF document text
    • https://93dbb2ad-f1e8-4c6c-adfd-2ef134399473.filesusr.com/ugd/df4650_b5441d3c71114f7791241f4f4816897c.pdf?index=trueIn PDF document text
    • http://judiserod.onlinewebshop.net/presentation_skills_notes.pdfIn PDF document text
    • http://jofikuv.atwebpages.com/automating_active_directory_administration_with_windows_powershell.pdfIn PDF document text
    • http://zisajas.epizy.com/puvotiwosuwe.pdfIn macro / runtime command snippet
    • https://b70645e9-42d7-44c6-80f2-f165c8819e8d.filesusr.com/ugd/3f1130_4946c6ed2f1c4c959da7412073edc5bf.pdf?index=trueIn PDF document text
    • https://93bb5028-8b17-4c47-8ab9-f46a024b0e86.filesusr.com/ugd/041612_bdf8939cee40442b8ace47314ab7642b.pdf?index=trueIn PDF document text
    • http://nokarox.rf.gd/car_mileage_correction_software_free.pdfIn PDF document text
    • https://b5f169ef-6bcf-4d19-a24b-32bdc9dd7a5f.filesusr.com/ugd/2e79a6_2d7a3ecbd6cd466e84b2dad371229d3b.pdf?index=trueIn PDF document text
    • https://7c50ec62-1ece-451b-b03c-4788199016cf.filesusr.com/ugd/635f3c_cf3cec3a1e474865ac59e019633cfdf9.pdf?index=trueIn PDF document text
    • http://tejejobosal.epizy.com/balizazixuzanitibalika.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000952f.bin pdf-embedded-script PDF decompressed stream script payload at offset 0x952F 82354 bytes
SHA-256: a2bf53fcc5de7a6c42ff1564ce4829652ab79cd5b6e4b859246526a036a25fbf
Detection
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
%PDF-1.4
1 0 obj
<<
/Title (�� A d e l e   s o n g s   s o m e o n e   l i k e   y o u)
/Creator (�� w k h t m l t o p d f   0 . 1 2 . 5)
/Producer (�� Q t   4 . 8 . 7)
/CreationDate (D:20210324001819+02'00')
>>
endobj
3 0 obj
<<
/Type /ExtGState
/SA true
/SM 0.02
/ca 1.0
/CA 1.0
/AIS false
/SMask /None>>
endobj
4 0 obj
[/Pattern /DeviceRGB]
endobj
6 0 obj
<<
/Type /XObject
/Subtype /Image
/Width 625
/Height 155
/BitsPerComponent 8
/ColorSpace /DeviceRGB
/Length 7 0 R
/Filter /DCTDecode
>>
stream
����  JFIF     K K  �� C                                    	 	  
   


      	  
      �� C                                                                 ��    � q  "       ��                            	
 �� �                }        !1A  Qa "q 2��� #B�� R��$3br�	
     %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������                            	
 �� �                w       !1  AQ aq "2�  B����	#3R� br�
 $4�%�    &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������          ? ���υm|w�.��+_Kz� �duX %B���7?�j�  ��`WM`���<�3� }{��&o��zg  Ɂ�7�[���WJK !~�
��s�8�׿ ����Is5��sQ�%���t�$��3 q��R �� �0�Ob ���( �Q�?ֺA P�4�p*F 9� �� ��;p6䝧����s�~�����.[���� �sr� ��9   ��'����?.�԰� ��&���P ��Hs�����]  � �8�q�G?��)�W 8�'� �����  Mt ��:9�> xr]����� >L��͚�� χ B�4��	�� q�F�~���FC �7 rI u�� �Zj�	�C�8$�, }3�v�ji[AN|ڳ�? |8� �v���g�� �~�����  ����M.z �]# '�1v���9�g�ï�Ҽ��bp�  < ~3���NI��2>
�l�Κ~S��Kg��}:o�~ u8�r I�̹�� ���B�>�2H�&s� q����ڜ���� �	'-�c ���X�6���s ����r�� �;A  � 猿�  zT�� �p��   �'��9� ~�Z�v#1 �1 ����ÕG .8*	e a�$ �)�
�꿯�?�Ώ�� ���  B7 �w� ����  �8郧.�<b�V �� ;
� G���  rJ�� �ϯJ6*�2 � 1�מ�{� �� �2�����ۘ��熄��%�]� M/C���p � _ ��I�؟��X�>t���?7~ +��%O)��cB?x�  �����9��  8 �^ 	ס#���hh����� ���9a�w�q �� ��fyA*� ��:���RG����˽lp�c�ReG���?�t�B�k)� � �?��J��]p�,X���  ;��QM?t� �  ��l��ġ 2����=�*G�=�@��7��~�Ry����_�t�3�ʨR��J��c����1C ��#�  c��c@��o�z� [ �| �� �` c�i���q��d��ڤ? t Y � �8'� � ��+�V�Ie�<� '� � _� Y�K ̒ � x  � �� �"�PM��zk�_�K�9��E��TU�
䁏:Q�� � ~�"|"���� �s� ���R �<���>��:d��W d  �� �����Y0�vl\�N �8=)Y2��^� ��'�  <� �� )I�  �������t� <=p� �@ � �ps�B �WF�B�ܕ��=    ?� ��e`� ' �� � ����i��Mە��� �� �A�����~ �G�D��~� ����z�7�O D_  �$}�_�� ���Mu2�� � �܎ �� N:�A �X  { N?�� ��= ����#�_�� .�-��5 �yy�����9 �9� xu��޲&� �R y��WE � �O
  �� =}i� �s�h� � ��� �C]ʌ������� �d��M=  ��r��dw�0| ������*B��LĠ���  �]4� `��Dž���� ��` 6�ʼnc��\q�j � �޽7���? �<  �� 癦nN ��R?�?
[�i�P ���� ٺpz�M�E�  = 6���S����1�Y� ��/R���r��{Ð�o��TA��6�N��� ֡� �q� Me/�a;�c� n��ֺa� * R3�r	��ҫ � � �9 �'��� �_C�  |7�cNRI� �$����s�� �� I�ƞU��-��8�� �j�i@ �F� ���� � �1�0 6[�ry�h � O�c�_�� �� � ���h����F�# ��'�)� # �`�  ��� �z� �$~X+��~\�� v��M����\ 0B�  1�1ځ�7���������aH]3j�0|�q���aQ/�o
G��7 I_�� ���~�Ӹ�ʍ�F �8 �= �0�@ @�3� ϭ-�+�k���������"�   ��  yA8?�  �p)��o�_*�1�t�s��  �  � ^
t�I  *3��<�2}��� � � ;GB�'�s��N�} �� _�Na> �`��i�pAU�\ c<n�~&��  |:Y�餷\,� {}� �  �t't%s� ���X Ǐ�� ���~70 u9�;t���Le&�� �����E�W��&?�G�y �PG���8�i��wÀ�
<|������� O_Z�]Wj�|���  �� �,�  #� 8��Q�Z �|$��1�� �� �s�黧��� | ��J �(A� nf<�c� ���Hw9�Y�T�y�� �N��K ��e*��G̣�H�q��렜���� _q� �� ��+�����<� ��͞� � � � ���w�b�$��y1� �޼~ �m�9  g�P0r?N�֟�` X n��� � ��� 3��� ��O�� �Pxj 1�
̸,.$�  ����Lo�  �ʾ� I! �>Q�g�>�����P.NYH  �@�t K�*��i����~�� ҅��ڵ�_���r��_Ì�WN*�	3��c���O֥? �<� �������<p��y���6K���`F g ㎼� :����7<q� �J �� I� ���\���� ��� P �&���#��id�G�±�Ӿa���g?�zg�$�N�7�#'�;s�ۦ:zҔ 1 �(��^F8�  ��ܯh�|��ס�/��
��t�&Q��iw :  ��S �  ��}�'�� Η�l �w�?�l�O�!\1ܠ 	� z㧯>��f   �[���O��3;_G������I�����"� ĥ@Ǯ��:~9���A��]� � �$�3Jz㏽�A��k�   �  � ���4� ْ��  �ǧ�� R�z E�>e��7�si�{Ñ��t��}��irN03�{v�  d_ 4 �V]8�_�M�Ďz�0 ��p� �b��%p@ 9?N � �#��� ~s�Ϟi��� .���9��A��G�a��-�� �� ��zD�E�DS  *~��e9 ��_��� x T�< A��x8= O�9|� O�#=3���[�\�j�y� �9�� �q�+��� uĤ����  3�I?�� �A:j�3J }~�1ױ��K渆B�d<�ߐ��2Fx�y�)�)(2�n z�G���ǖL���E���-` '�aq/˟}��{ J~ �|H�4���l�p;����� �V����G�X���ׯ��<��T�_� �'�Sܜu� ��o} �v��?�����9��E�ȳ�  ��2F.%��z��� .���{Á�
8)<2��C�q��: *� vF
�#�N ~=y�L�W8|�R �#w �#��_5���7��  �[�G�� ���� 1����A���_�� ]�t�#���@  w�];���
... (truncated)
font_00_sfnt_off0000fd66.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD66 4992 bytes
SHA-256: b78151e89c2df1b78a317a3aa6ed7bde6a55f50e73c0b93ab13ff8edc18bb617
font_01_sfnt_off00010e61.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E61 11100 bytes
SHA-256: ec4756ea8dd840914a3e912b5ce2c70f8809dd10c16006b4d2b369a42195ce90

Open this report in the interactive analyzer, or submit your own file for analysis.