Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae13cb82a0bdd7b3…

MALICIOUS

PDF

74.4 KB Created: 2021-02-25 13:44:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: 8845d0a50dd632f7b934702c597057d2 SHA-1: 7361835c636c60cd88b4fffcc95817a995442255 SHA-256: ae13cb82a0bdd7b3135353401a91151b319463ce7f2f6428647a8de17de8a880
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO poisoning tactic to direct users to malicious sites. The document body, though heavily obfuscated, appears to be a lure related to search queries, further supporting a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/award?keyword=nail+places+that+are+open+today+near+me PDF link annotation
    • https://bibokesoxi.weebly.com/uploads/1/3/4/8/134850131/4528077.pdfIn PDF document text
    • https://kasivolonu.weebly.com/uploads/1/3/4/6/134688646/delusasowafab.pdfIn PDF document text
    • https://cdn.sqhk.co/pirujezexod/gijeXKT/nfl_games_on_cbs_all_access_today.pdfIn PDF document text
    • https://cdn.sqhk.co/bapulofuw/jcticpe/pixoruv.pdfIn PDF document text
    • http://jekenufakewe.mypressonline.com/como_preparar_cebada_perlada.pdfIn PDF document text
    • http://mosebuzixat.mywebcommunity.org/navy_advancement_center_cpo_results.pdfIn PDF document text
    • https://cdn.sqhk.co/tuseliwi/jgijigz/sizisogite.pdfIn PDF document text
    • http://xorabawik.medianewsonline.com/wamivuvezabozikikan.pdfIn PDF document text
    • http://kenugizi.getenjoyment.net/ejercicios_de_ecuaciones_de_primer_grado_2_eso_con_soluciones.pdfIn PDF document text
    • https://mutazodot.weebly.com/uploads/1/3/0/8/130874237/9150583.pdfIn PDF document text
    • http://sipataj.sportsontheweb.net/how_to_reset_kenwood_dpx501bt.pdfIn PDF document text
    • https://cdn.sqhk.co/romilononove/A3qUjbs/walking_dead_season_10_cast_lydia.pdfIn PDF document text
    • https://cdn.sqhk.co/wekababu/ijMgejh/asda_home_shopping_online_uk.pdfIn PDF document text
    • http://wotidoteked.mywebcommunity.org/gesowusolasezusebotivipi.pdfIn PDF document text
    • https://cdn.sqhk.co/xororasomig/ejeI4jj/5114498094.pdfIn PDF document text
    • https://wugovaxovagebi.weebly.com/uploads/1/3/0/9/130969592/tipuvedir_dadoxazowofidap.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/tobovunoberiki/maxalul.pdfIn PDF document text
    • http://gaxilitexu.onlinewebshop.net/how_to_be_totally_miserable.pdfIn PDF document text
    • http://xowobovu.myartsonline.com/begarowofetofalakadureza.pdfIn PDF document text
    • https://s3.amazonaws.com/kewakuko/19317163664.pdfIn PDF document text
    • https://s3.amazonaws.com/ruzumeb/bonus_request_form_template.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8ea.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE8EA 5384 bytes
SHA-256: 1396b15275826f6c05da49596ec099aa7f48453ed7dfe8de4f5499aa9a88e1b0
font_01_sfnt_off0000fb17.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB17 9652 bytes
SHA-256: 5a0e8eeed7b42ca62d4d5e0896987261f6c2090d91ab49d63a7fdd0b6274659f