Malicious PDF — malware analysis report

Static analysis result for SHA-256 baf4f01476217709…

MALICIOUS

PDF

81.3 KB Created: 2021-03-19 23:10:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1597e1d163df619d77a6592b2ec1e80f SHA-1: d1194a62ebe7d834c9d453ede132a5083261818d SHA-256: baf4f01476217709543c44c4c2df63a0b42a78f4335d12ef9d2d6e0698e88d41
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a significant number of them pointing to potentially malicious or SEO-manipulated content, as indicated by the PDF_SEO_LINK_FARM heuristic. The SE_PAYMENT_REDIRECT_LURE heuristic suggests a business-email-compromise pattern, although the document body itself is heavily obfuscated and appears to be a lure related to 'cheat codes'. ClamAV also detected this file as Pdf.Phishing.Trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=zombie+catchers+cheat+codes+2019
    • http://gojoges.iblogger.org/amortization_schedule_with_balloon_payment_template.pdf
    • https://cdn-cms.f-static.net/uploads/4365539/normal_60412d3a63169.pdf
    • https://static.s123-cdn-static.com/uploads/4401517/normal_5fe1ed9fb52b8.pdf
    • https://cdn.sqhk.co/leredupodeka/jgihIFO/pamovogixewasem.pdf
    • https://cdn.sqhk.co/manowipete/xjejcVH/angular_6_template_driven_vs_reactive_forms.pdf
    • https://cdn-cms.f-static.net/uploads/4493569/normal_60192e29d90ee.pdf
    • https://cdn-cms.f-static.net/uploads/4408864/normal_603d7d534a92c.pdf
    • https://cdn.sqhk.co/jelivapizivo/m0hdngd/earth_signs_and_water_signs_love.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/388a294f-bd8c-4064-b0db-be3c76569201/9880404748.pdf
    • https://uploads.strikinglycdn.com/files/fd34ccb3-b203-40e9-bd75-2e63b18415ab/how_to_trade_btc_for_beginners.pdf
    • https://uploads.strikinglycdn.com/files/7d414798-d881-4de1-ac36-f14626e241ce/31846538929.pdf
    • https://uploads.strikinglycdn.com/files/fd378a01-98f4-4360-acd9-7760690261da/20135891095.pdf
    • https://uploads.strikinglycdn.com/files/93a23e72-8b9c-4662-aaa3-5d6b5bdea5f8/buguna.pdf
    • https://b064d0e4-88d6-4b7e-8087-8ebf790fcba6.filesusr.com/ugd/ca32a8_6b1dcd2d4d794daabbda3cf7f7248c15.pdf?index=true
    • http://putojeferef.rf.gd/sturgeon_fishing_guides_portland_oregon.pdf
    • https://uploads.strikinglycdn.com/files/7c23dc67-e57b-4e04-8e70-715f6923a7ad/how_to_use_bacteriostatic_in_humidifier.pdf
    • https://uploads.strikinglycdn.com/files/9645f3d0-2504-45e1-99af-148f9a295ac6/22478258086.pdf
    • https://9df6fdd8-df71-43fb-87ad-b121b2de7416.filesusr.com/ugd/e0d0cf_3bc7c5bf0be847a6badfd075fa99a33f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4ad926a7-736c-48f6-a35c-f98197408705/study_quran_review.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2db.bin
532d386469f44e6282960a31412a1550c5c99dcaf2630a30cd6e34fb3a2fd7db		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2DB 5728 bytes
font_01_sfnt_off00010628.bin
9b268e929d5513e948884e53cbdd6b9b9a11d5cb2796ef6261e3a5b30722ae1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10628 15076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.