Malicious PDF — malware analysis report

Static analysis result for SHA-256 a81dc264261e1c2a…

MALICIOUS

PDF

76.5 KB Created: 2021-06-06 13:03:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: f45ef3e0ba37a092b6c2504b8a6fa87a SHA-1: 4c71b7a3aad75d8a4c2b70e64eaaba8ff6284f27 SHA-256: a81dc264261e1c2ac8d0a423fed15a7c742cbe11dc348217d584bff92f837508
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, with a primary focus on a link that promises a hack for 'Carx drift racing lite apk download'. This, combined with heuristics indicating a link farm on disposable hosting and a high ML classifier score, strongly suggests a phishing or malware distribution attempt. The presence of PDF_SEO_DISPOSABLE_LINK_FARM and PDF_URI heuristics, along with the ClamAV detection, confirms the malicious nature of the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/pbw?utm_term=carx+drift+racing+lite+hack+apk+download PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4380527/normal_603a84db03fa7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4484806/normal_6009be56472f4.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4449599/normal_5ffe1c777accc.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417998/normal_606a3a7502caf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381297/normal_601b986356bdd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415045/normal_601543ab363c3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413455/normal_6021a0990be86.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4427519/normal_5fd66f44b36f7.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/65b23f02-bf85-4873-aec7-ca31f2d24a43/20253524191.pdfIn PDF document text
    • http://demopefo.pbworks.com/f/standard_catalog_of_world_coins_online.pdfIn PDF document text
    • http://xuwajesorewo.pbworks.com/w/file/fetch/144655887/databiduritaxil.pdfIn PDF document text
    • http://gipomebepate.pbworks.com/f/fukopa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4661f0e8-85fa-46e6-b49f-34ce6ee20660/64690772494.pdfIn PDF document text
    • http://xovelezid.pbworks.com/f/sabine_electric_adjustable_standing_desk_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6e11dab1-1917-4aaf-a331-2916ac6eaaab/58365099919.pdfIn PDF document text
    • http://sufizilofab.pbworks.com/w/file/fetch/144527685/hs8461_advanced_reading_and_writing_lab_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ea38f5f8-5f46-43c8-9dda-2e75b7076bdc/union_pipefitter_pay_scale.pdfIn PDF document text
    • http://jopamedet.pbworks.com/f/bible_quiz_questions_app.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d1895096-7783-448f-87e1-3f39f1f9577b/can_you_double_down_on_a_blackjack.pdfIn PDF document text
    • http://mawasuwov.pbworks.com/w/file/fetch/144504471/cecelia_ahern_ps_i_love_you_club.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/702f2d39-71e8-470b-9990-4e1f98a56f94/41990915314.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/60c82873-0e0f-49a6-91d0-521d059e20a8/8_ball_pool_coin_generator_apk_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d379be4e-7ea7-4db0-ae44-5d02086ce2fc/oxford_dictionary_of_english_idioms_apk.pdfIn PDF document text
    • http://jesababa.pbworks.com/f/nisawa.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dfaa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDFAA 5276 bytes
SHA-256: 75680a63ee54e5747bb915a8443cb84ef38965efa3afed0600e79394fabbe171
font_01_sfnt_off0000f1a9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF1A9 10664 bytes
SHA-256: 75f582437d1c6bdc98b15e1648d403b19ec6a067f15e7abe775ca119f7bd6faf
font_02_sfnt_off00011644.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11644 4324 bytes
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2