Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3523dd36c7d9b62…

MALICIOUS

PDF

81.4 KB Created: 2021-09-20 20:15:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23
MD5: b2332db0eb9c578b849ba2e892f15aa5 SHA-1: 0e9474dfec54cc7243ee421753317f4c9826fdcf SHA-256: a3523dd36c7d9b628976ad9952fea43050bddae5848b3d080045a6be760c7004
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and multiple external URIs, indicating an attempt to redirect the user to malicious websites. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' strongly suggests the document's purpose is to host numerous links on disposable domains, likely for phishing or malware distribution. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 5

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=play+store+app+download+latest+version PDF link annotation
    • https://gad-elhak.com/userfiles/file/78269486940.pdfIn PDF document text
    • https://usssecuritate.ro/userfiles/file/25191790323.pdfIn PDF document text
    • https://mgs-on-track.com/uploads/misc/files/talodumalekuforik.pdfIn PDF document text
    • https://siyata.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/16137a7ba03852---27875657651.pdfIn PDF document text
    • http://algarestofos.pnh.pt/js/ckfinder/userfiles/files/30008008702.pdfIn PDF document text
    • http://tnhmc.com/userfiles/file/xareboxikuxixevod.pdfIn PDF document text
    • https://foodthings.us/userfiles/file/joxemi.pdfIn PDF document text
    • https://nevisnews.com/userfiles/30577425921.pdfIn PDF document text
    • https://laundrybyconrads.com/nbloom/fckuploads/file/99691418953.pdfIn PDF document text
    • http://maternites-catholiques.org/ressource/site-image/files/1789762306.pdfIn PDF document text
    • http://abcbyspu.net/ckfinder/images_store/files/wuwumosofub.pdfIn PDF document text
    • http://mashhadgardi724.ir/basefile/mashhadgardi724/files/komuvurigawuzugififaxek.pdfIn PDF document text
    • http://candientuvibra.com/images/file/sasafifowaruwura.pdfIn PDF document text
    • https://monamifrance.com/FileData/ckfinder/files/20210912_5E2D287AE5688C1D.pdfIn PDF document text
    • http://gps-tw.com/CKEdit/upload/files/nokejaw.pdfIn PDF document text
    • http://geopraxis.it/userfiles/files/wabubasuguwanetet.pdfIn PDF document text
    • http://studiorapizza.it/userfiles/files/40055070133.pdfIn PDF document text
    • https://dongphuchuytai.com/upload/files/32596672938.pdfIn PDF document text
    • http://sportschoolindex.nl/images/uploads/dazojadape.pdfIn PDF document text
    • http://ahzgbh.news-read.com/upload/files/27822115487.pdfIn PDF document text
    • http://manvilastrust-org.bvirani.com/ckfinder/userfiles/files/xomame.pdfIn PDF document text
    • http://optimumnieruchomosci.pl/uploads/userfiles/files/36212260523.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d988.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD988 17676 bytes
SHA-256: 4cdfdf5bcacd7da35588a2622e87becd0e15090d716aa8fdbfeed8d21a2e316c
font_01_sfnt_off0001071a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1071A 10652 bytes
SHA-256: 7e2b29254ce106af31976f126720895991a0bc699d120d626d40a4c6801dad50
font_02_sfnt_off00011fbc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11FBC 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1