Malicious PDF — malware analysis report

Static analysis result for SHA-256 c233a0e2a2f60076…

MALICIOUS

PDF

110.9 KB Created: 2021-04-06 09:43:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 8784a09abae5c67cb76a2f5f081e329d SHA-1: ddd6b924e67d911ac8f0d9b8dca5aee3ad6e989d SHA-256: c233a0e2a2f600765e6c1a79656bf4eeea0337b4bcc3c6acee5f1d054f47fb25
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=how+many+hours+long+is+pretty+little+liars PDF link annotation
    • https://cdn.sqhk.co/xeloxilava/OidMy9H/76849608219.pdfIn PDF document text
    • https://cdn.sqhk.co/posebozej/RicibjW/xaxavisoxosunogixewew.pdfIn PDF document text
    • https://cdn.sqhk.co/suxepemup/bgiqp1s/lenovo_ideapad_330_reviews.pdfIn PDF document text
    • https://cdn.sqhk.co/mumaxeje/jjshiLT/umc_covid_testing_cashman_center.pdfIn PDF document text
    • https://cdn.sqhk.co/vedasukuki/jdiiehg/mens_short_haircuts_2020_thick_hair.pdfIn PDF document text
    • http://mon-cmso.best/panegavumupifu48egw.pdfIn PDF document text
    • https://cdn.sqhk.co/xelalizogim/JjedqeS/46363838179.pdfIn PDF document text
    • http://lnstagramcopyrightcenter.com/yaar_nuri_ztrk_kuran_kerim_trke_meali_satn_alxmves.pdfIn PDF document text
    • https://cdn.sqhk.co/kekelivig/j9UhhQD/sovizovigo.pdfIn PDF document text
    • http://ipatovaalena.ru/49427420127zxft8.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://19972ee8-34f0-4900-8009-9f590161cd02.filesusr.com/ugd/64db51_ec052db8945745108b1ca793818e9c60.pdf?index=trueIn PDF document text
    • https://591e60e9-54e8-4b06-a9a7-f2e0522969d0.filesusr.com/ugd/1fd4b7_c0d1a1eff58e4c23934c17e4c44bcefc.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/mokixetat/86074290516.pdfIn PDF document text
    • https://f6ea5e03-7e7c-4dce-82ee-fd5d223759ef.filesusr.com/ugd/d203ad_cd3a7e6dd4c5465898e1b4d168c2f1d2.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/megelugik/poesia_em_viagem_blaise_cendrars.pdfIn PDF document text
    • https://s3.amazonaws.com/jefobexapulow/luxepisowupun.pdfIn PDF document text
    • https://s3.amazonaws.com/xalasawu/border_patrol_uniform_pants.pdfIn PDF document text
    • https://s3.amazonaws.com/norozovijalu/how_does_buying_and_selling_bitcoin_work_on_cash_app.pdfIn PDF document text
    • https://0df22b04-17ae-4e65-9af8-3af4445b4601.filesusr.com/ugd/71fd01_f857e7924e584d18b353277869d42147.pdf?index=trueIn PDF document text
    • https://a2ae8793-a99f-480d-a3bc-849ef63d34f7.filesusr.com/ugd/cc207a_aa0fcedb8bd44fb28f6eeb2de1ea6bdb.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/xijuxosisomuna/wirudetawulavefedubenoj.pdfIn PDF document text
    • https://s3.amazonaws.com/sowewazulejewi/sport_dog_shock_collar_troubleshooting.pdfIn PDF document text
    • https://s3.amazonaws.com/babuxufarizuxur/dofuvogutukifaro.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017408.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17408 5388 bytes
SHA-256: 1d7058311fc06daa027b2023ef660032fa1e489b85f6f4d4a89a12af04b9dd4b
font_01_sfnt_off00018644.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18644 11592 bytes
SHA-256: ef0ca34ace31e148c43a964a8ddafd772934b188613c91ca68d0a4378f5f6cf4

Open this report in the interactive analyzer, or submit your own file for analysis.