Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad504109ddbccb7a…

MALICIOUS

PDF

84.4 KB Created: 2020-11-12 23:17:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 797547d983ce4a8beba35d6a36924243 SHA-1: 9124aa64e759df41e4c5ecc9716e59d1d8e8635f SHA-256: ad504109ddbccb7ab899676430941719fc2813f40ec406c828441e681fdcddbe
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm and routes users through malicious redirector infrastructure. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/123?utm_term=box+heads+2+unblocked PDF link annotation
    • https://zusaneji.weebly.com/uploads/1/3/0/8/130813769/7d5edcff94eba.pdfIn PDF document text
    • https://gexeperi.weebly.com/uploads/1/3/4/3/134348656/ae9191.pdfIn PDF document text
    • https://lukafove.weebly.com/uploads/1/3/4/6/134655473/9930a264b59.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/e20ef4d7-2f17-4741-80b2-4524e2b3ca77/rakofulu.pdfIn PDF document text
    • https://s3.amazonaws.com/miwolezedubujoz/zoferedom.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2783c196-1c1c-431b-9728-78a24a842fac/2016_happy_new_year_greetings.pdfIn PDF document text
    • https://s3.amazonaws.com/nabifovu/79231160405.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bb6b276f-0879-4818-887e-b93a50f50432/pugamitewemurebuxirivali.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ec1853c2-8c2a-46b0-8743-22fdd6a7c4dc/neniduwugevikidel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bff0e285-44b7-48e3-8fbd-ece4d6cc403e/cuentos_breves_con_moraleja_para_adultos.pdfIn PDF document text
    • https://s3.amazonaws.com/mesotodimus/punowubasa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/27a99208-f610-433b-b63f-67715ce2355a/xokeg.pdfIn PDF document text
    • https://s3.amazonaws.com/luropi/mobexexifo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/72c07b5d-37ad-41e4-931c-e92b41e0e154/vadizetowupenux.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000deed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDEED 2888 bytes
SHA-256: daa464992833498aeea8162072d590ce607b5a38febd641a4b4e7fef94ab354e
font_01_sfnt_off0000e937.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE937 5136 bytes
SHA-256: 963d5aaa536db1627188d34a610d21b8f4d5f3017e08ad784b161e0582bfd667
font_02_sfnt_off0000faa0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFAA0 11808 bytes
SHA-256: a8fb1dda05651558936836cd0a788bf8c8ea6c4cb7b0184fd75fa1dfd7ac9ac6
font_03_sfnt_off00012170.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12170 16064 bytes
SHA-256: 569f756873fd89e9ac54c2be6ee8ad0a68594ee77c2378937be7521d336ae4b9
font_04_sfnt_off000135fa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x135FA 4324 bytes
SHA-256: 05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176