Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2d1e8d723344e28…

MALICIOUS

PDF

68.3 KB Created: 2021-03-30 11:09:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4bab76d340753afd8e7e4a646f20f7e9 SHA-1: eb1dd599bada1000e0294d5ec4118404a3822698 SHA-256: b2d1e8d723344e28aa0146f249d11bdae4bd2029b52347782e7fe8fb397d8f97
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains numerous external links, with one heuristic specifically identifying a 'PDF link farm' designed for SEO manipulation. The presence of 'cmd_command_listfek09.pdf' in the document text and the ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggest malicious intent. The ML classifier also flagged this PDF with a high probability of being malicious, indicating it likely exploits PDF vulnerabilities to execute code or redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=worksheet+11.1and+11.3+arc+length+and+sector+area+answers
    • http://kupiokno.su/windows_7_cmd_command_listfek09.pdf
    • https://worivoka.weebly.com/uploads/1/3/4/5/134588103/garekonenujato.pdf
    • https://cdn.sqhk.co/levuzivanu/C1QV0ie/16188781885.pdf
    • https://cdn.sqhk.co/xekixuzurim/776Qhby/electric_forklift_daily_inspection_checklist_template.pdf
    • https://cdn.sqhk.co/fuluzezufe/jW9VjcD/driving_road_signs_and_their_meanings.pdf
    • https://zudejuzire.weebly.com/uploads/1/3/2/6/132681250/1594571.pdf
    • https://tofexozulemun.weebly.com/uploads/1/3/0/9/130969243/fadinexagu_rovoluvo_bovenitufuvugun.pdf
    • http://load-bcp.com/plague_inc_cure_the_worldm9p1i.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ec727f43-1a0f-46aa-9fcd-2069d08b54ba/fipeb.pdf
    • https://uploads.strikinglycdn.com/files/87c1c852-730d-46e0-8b2f-89cbad25a46b/weber_spirit_2_e310_assembly.pdf
    • https://uploads.strikinglycdn.com/files/018de670-f63d-4e0c-a886-fe20a6bc8206/boston_market_thanksgiving_catering_menu_2019.pdf
    • https://uploads.strikinglycdn.com/files/8d40906c-08bf-4e49-bcfd-3618ee55238f/haier_12000_btu_portable_air_conditioner_manual.pdf
    • https://uploads.strikinglycdn.com/files/536fd3c3-8576-4628-8fa3-2198541c35d8/how_do_you_fix_automatic_locking_hubs.pdf
    • https://03aaa7dd-6608-466c-a68c-f41c59811c05.filesusr.com/ugd/ae15ca_c902d81c35f0408ba53ad4e1d7de16f6.pdf?index=true
    • https://07d68bf2-0661-47e2-9ffe-eae068a071af.filesusr.com/ugd/fef806_ef0ea96b95e64114a48f57e6c8bd5578.pdf?index=true
    • https://0503187d-52cd-4237-9521-a3cb9bf551ae.filesusr.com/ugd/5bb01c_469dbac9c64d4faa9ed93436f625b28a.pdf?index=true
    • https://3cd6846c-369c-4875-9c63-132df726a2dd.filesusr.com/ugd/7ab50f_4872126d85b74d028beb5d2e586ba820.pdf?index=true
    • https://uploads.strikinglycdn.com/files/91961097-93d7-40e2-9417-1fe84d1dc47a/jijewoxesijimiwudiliti.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://uploads.strikinglycdn.com/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cad9.bin
39e6c7d7247e14d298c02a35ca5b5a3abba68e25e6fc459c8f2d29ab7334cb34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCAD9 5616 bytes
font_01_sfnt_off0000de10.bin
6a8c014f0cf307544eb32d3764f7558be7c8f93ef49a791bb111679823e9aa1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE10 10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.