Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba9b9ee8577f1c9b…

MALICIOUS

PDF

67.3 KB Created: 2021-02-26 23:51:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16
MD5: d4177f292ee66c48d895af2ace71ca5b SHA-1: dccc26310a5a0190a37a41b5c82f054d2b9aaa59 SHA-256: ba9b9ee8577f1c9befe03c04fde122456e12ea5c154d92f7e3ff42edd903cb4d
226 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to distribute malicious content. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely provides instructions to decrypt a password-protected archive, a common tactic to bypass security scanners. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=how+to+configure+ncomputing+vspace+in+windows+7 PDF link annotation
    • http://metoxegid.mygamesonline.org/rovexodomaruw.pdfIn PDF document text
    • https://tezijetukiresu.weebly.com/uploads/1/3/5/3/135394197/4716911.pdfIn PDF document text
    • http://im-marceting.site/jigisujuserva7u.pdfIn PDF document text
    • https://gabejudunutulan.weebly.com/uploads/1/3/4/8/134887900/3208742.pdfIn PDF document text
    • http://gayerkan.com/idle_heroes_realms_gateepp5p.pdfIn PDF document text
    • http://fitokaps.xyz/anatomy_and_physiology_coloring_workbook_answer_keyi1kg3.pdfIn PDF document text
    • https://nozonefabizeg.weebly.com/uploads/1/3/0/9/130969368/3942571.pdfIn PDF document text
    • https://nawexolaka.weebly.com/uploads/1/3/4/7/134704757/tekoguniwupiroj.pdfIn PDF document text
    • http://tupaxeguna.scienceontheweb.net/stephen_king_the_outsider_reviews.pdfIn PDF document text
    • http://dimozakebaba.scienceontheweb.net/how_to_delete_facebook_account_2020_ios.pdfIn PDF document text
    • http://xitabijasava.getenjoyment.net/mcgraw_hill_cissp_all-in-one_exam_guide.pdfIn PDF document text
    • https://tawozajoruje.weebly.com/uploads/1/3/4/3/134314125/wubesuxavixu.pdfIn PDF document text
    • http://testertumentum.space/dukariwixopqvuz.pdfIn PDF document text
    • http://powajaxib.medianewsonline.com/epson_v370_perfection_flatbed_scanner_argos.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://wuwedilejom.myartsonline.com/what_does_guerrilla_warfare_mean_in_social_studies.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c969.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC969 5636 bytes
SHA-256: 6f68b1896fc09cea7e4a011e8745d0e92be34ea0abfefc81a1b1560ec8b6c837
font_01_sfnt_off0000dca2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDCA2 10428 bytes
SHA-256: 4985e3a0e828ab304e09309c79104cea0baabb4329b864c40f561753dfc887f1