Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7740a3d077ffdb1…

MALICIOUS

PDF

76.0 KB Created: 2021-03-29 10:16:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 6b23143ee71d86017c516d2cdfe8169b SHA-1: 9a18b9cd03fb43b9afaf427a0729ec5ea0b25a2f SHA-256: b7740a3d077ffdb1835189d21f31b2bfac4203d725ab1e1e9841965c6443a52c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of external links, identified as a link farm, suggesting a malicious intent to redirect users. The ClamAV detection and ML classifier strongly indicate this is a phishing or malicious document. No scripts were extracted, but the primary attack pattern involves leveraging embedded URLs for malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=html+to+pdf+angular+npm PDF link annotation
    • https://cdn.sqhk.co/jemajujo/Ygfggfm/alan_walker_best_music_ringtone_download.pdfIn PDF document text
    • https://cdn.sqhk.co/simikitivo/dSGUgeY/7561545437.pdfIn PDF document text
    • https://cdn.sqhk.co/xumifutave/ieOrwmQ/under_map_glitch_gta_5.pdfIn PDF document text
    • https://cdn.sqhk.co/zabeluzitema/yWM1cig/turenajizune.pdfIn PDF document text
    • https://cdn.sqhk.co/nitunoda/bOgcXjb/nesajomukobuji.pdfIn PDF document text
    • https://cdn.sqhk.co/luwokiseg/d5pPgix/kedigamami.pdfIn PDF document text
    • https://cdn.sqhk.co/saxamabewido/m2PkRCJ/38267315765.pdfIn PDF document text
    • https://cdn.sqhk.co/kisunika/Yhjthfv/66858607304.pdfIn PDF document text
    • https://cdn.sqhk.co/sujubowip/hbif5Ux/sonic_adventure_dx_director_s_cut_review.pdfIn PDF document text
    • https://cdn.sqhk.co/nugilatunu/lJjdRib/sharpen_the_saw_activities_for_middle_school.pdfIn PDF document text
    • https://cdn.sqhk.co/dudurejavir/gCggU0G/repazetovagasosatov.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/666576aa-5f49-4361-bb7d-6f7f234cf9dc/45475910998.pdfIn PDF document text
    • https://13ea8442-998f-4f14-ba3b-7f37e53a414c.filesusr.com/ugd/008a9f_ff1e0412f48a4f6182ed55ee200d11e8.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/d867f6f6-2872-4c73-81b4-7ad691aa9bdd/wagumuguvixi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f3d0d771-0784-498a-b86e-203aad52952e/ryobi_31cc_700r_weed_eater_parts.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e9475b1e-4a59-45b6-977f-920df5a4eb01/how_to_write_effective_business_correspondence.pdfIn PDF document text
    • https://37976aa0-f55f-47d3-847a-8d185b13ebf6.filesusr.com/ugd/1d6212_1ce69be088be422eb44c5cc632309d71.pdf?index=trueIn PDF document text
    • https://a8a70d16-e3f0-4805-b115-4d8c62c40b57.filesusr.com/ugd/82e28d_872ebe00c8044506955425f55a084770.pdf?index=trueIn PDF document text
    • https://0fdd9f25-8366-4660-9463-376fd915ad39.filesusr.com/ugd/c16cf9_8bfc04920bf74b5b810a6a5028933b26.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/d16837ef-2794-4860-a16e-cca7770c898f/46452131489.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f93d0c5a-fc6d-4c77-bd39-97796401ce82/mupekipebutinimovikogawas.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb31.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB31 5144 bytes
SHA-256: acf4d9d7b98e6a859861c45a5537ae6a972b3967e0be2eb5df7f25b655b09b8d
font_01_sfnt_off0000fc9c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC9C 11208 bytes
SHA-256: f54e555bf056543bb7485b601a789d26177879f677966a71f301bcfc8249cbf0