Malicious PDF — malware analysis report

Static analysis result for SHA-256 b04eb726dbfdd849…

MALICIOUS

PDF

73.4 KB Created: 2021-03-28 12:48:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: e402db196041ae981fcc665bfd80f294 SHA-1: d5e920f76119fb497acf64699fea3cff95555263 SHA-256: b04eb726dbfdd849bd99b1e4cb232eb8391828143c791cad51db64023484e74a
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file contains a large number of embedded links, many of which point to external PDFs hosted on disposable domains, forming a link farm. One of the primary links directs to a known malicious redirector infrastructure. The ML classifier and ClamAV also flagged this file as malicious, indicating a phishing or trojan distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=how+do+you+fix+a+maytag+washer+that+won%2527t+start In PDF document text
    • https://dizubegunusu.weebly.com/uploads/1/3/4/8/134889053/suridemadipulubube.pdfIn PDF document text
    • https://giruwaferelesed.weebly.com/uploads/1/3/4/8/134850821/sivawigon-wamumezali.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://ae0ecf71-49bb-4ac4-bba4-d0f2a20d1af9.filesusr.com/ugd/668a47_b899a6fae518454089bdd81368d2a64e.pdf?index=trueIn PDF document text
    • https://435a888a-8f80-410d-aa77-77edd6e4491d.filesusr.com/ugd/51fec0_85d10897a97e480a85724c148bc13297.pdf?index=trueIn PDF document text
    • https://620678a0-8f5b-407b-881a-8a96a128c1c4.filesusr.com/ugd/25b7a6_e3ef516d2c5f49779b15166470eea0ea.pdf?index=trueIn PDF document text
    • https://656adf98-7a81-40bd-8d0f-2b9c27d09201.filesusr.com/ugd/268ab1_e4833fe83c3c427c8dab5ddc3d09ae52.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/belapawerezuju/37410768154.pdfIn PDF document text
    • https://s3.amazonaws.com/sowirutelevolur/dakemasivurudevidu.pdfIn PDF document text
    • https://55963656-6eb1-4b25-bcd5-bb835d65808b.filesusr.com/ugd/0064ae_d132849874a546c49b053edc684124bc.pdf?index=trueIn PDF document text
    • https://6731adf0-0bfb-4e29-9024-dbf0b6c78d19.filesusr.com/ugd/163ed7_5f5468d80f0844738290dc66a58b0e4a.pdf?index=trueIn PDF document text
    • https://92e0cadd-ca3c-497d-ba7d-1aece6ee6da0.filesusr.com/ugd/008e52_80cbc16523c449f99d223cf31d6f3ef1.pdf?index=trueIn PDF document text
    • https://c480cc3d-c044-45b7-a7fa-747782367dcd.filesusr.com/ugd/a26f59_262408737ba54c73a68ef83bae38ef5c.pdf?index=trueIn PDF document text
    • https://f730d15c-1921-46d2-b6d4-288333e40990.filesusr.com/ugd/e2c223_e2febded8c4a41719265b5e9188646d8.pdf?index=trueIn PDF document text
    • https://436c154b-1c2d-4c60-9768-ed3a268ef5e1.filesusr.com/ugd/e8e253_a7e17f5344074e95bd19f405887592e6.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/padadutiseni/27124255342.pdfIn PDF document text
    • https://313cea95-bd78-4864-9d9d-3b26c3bbe0bd.filesusr.com/ugd/2142af_025c19a184734556a6ffee44c3354edf.pdf?index=trueIn PDF document text
    • https://2c5a832e-93c4-4ab0-bef0-969ef348d747.filesusr.com/ugd/cc5daa_d1a3a13fd23f4941ba6b010263f00c54.pdf?index=trueIn PDF document text
    • https://b5c90759-dbf8-4ccd-b12d-e23c958527f9.filesusr.com/ugd/915a55_1bf6bc7bded64aeeb5d70d569e3f4268.pdf?index=trueIn PDF document text
    • https://fa53e508-d88d-41cb-897c-7a5b6f1bfcc3.filesusr.com/ugd/361045_92ce531961894977b810bdc4cf29003e.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e18c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE18C 5548 bytes
SHA-256: 70015aa38c13f8c2d0e171ae408c955f4de28fa9e545aee1f9ddb4bff22be701
font_01_sfnt_off0000f464.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF464 10348 bytes
SHA-256: 5c839496bf9033503a798e2732c8af487958e4a0de002547f659253896a441c8