Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2f94fc12e91b491…

MALICIOUS

PDF

86.1 KB Created: 2021-04-08 23:21:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16
MD5: 8ba6fba3a3914fa6910531040887c3d0 SHA-1: 2cead0171ee85481ccf77da20f11db41732661e4 SHA-256: c2f94fc12e91b49178912029e7f7d7eb8d819965fc1a605582f9873ede181bd9
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document functions as a link farm, directing users to numerous external websites, many of which are hosted on disposable domains. The primary URL, 'https://jacksth.ru/strik?utm_term=american+standard+furnace+red+light+blinking+2+times', suggests a lure related to technical support or product issues. The presence of ClamAV and ML heuristic firings indicates a high likelihood of malicious intent, likely phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=american+standard+furnace+red+light+blinking+2+times PDF link annotation
    • https://lebotisoko.weebly.com/uploads/1/3/4/5/134597635/tesugegozuvilufep.pdfIn PDF document text
    • https://cdn.sqhk.co/lamimegisu/nWhhPNr/war_conqueror_4_pc_online.pdfIn PDF document text
    • https://cdn.sqhk.co/xelalizogim/yjf3hgD/get_followers_app_download.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379359/normal_605a4edb24a3d.pdfIn PDF document text
    • https://xaxazusilu.weebly.com/uploads/1/3/4/7/134757455/megotesos_wuxivig.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421208/normal_6067c60fdd6b5.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4410954/normal_5fc775da8a286.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4455907/normal_604ae48d3a182.pdfIn PDF document text
    • https://cdn.sqhk.co/tawibonikigo/fnwugjY/biriseditob.pdfIn PDF document text
    • https://cdn.sqhk.co/bukoxomule/fRdyUhi/xarufe.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4388160/normal_5fff188039fef.pdfIn PDF document text
    • https://lukafove.weebly.com/uploads/1/3/4/6/134655473/melemuzu.pdfIn PDF document text
    • https://jujodupif.weebly.com/uploads/1/3/2/3/132303189/508ed5b139acf32.pdfIn PDF document text
    • https://gusijanuvo.weebly.com/uploads/1/3/0/8/130874241/4895987.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://d4a58959-25bc-41ae-a48c-99f47e3c4711.filesusr.com/ugd/4dab1e_ef6b712303024029a305dd99e24945dc.pdf?index=trueIn PDF document text
    • https://748f1d53-d141-46c1-926a-d14fc69713a3.filesusr.com/ugd/e3ed1f_3be165b5f0bf4ea98042942efdb90104.pdf?index=trueIn PDF document text
    • https://ea74ff18-003d-4094-8454-8d7e15e33abb.filesusr.com/ugd/50de67_922999942cf64ce8ae7ab9c6e04f3029.pdf?index=trueIn PDF document text
    • https://a134ef9b-a212-4d8e-a35f-da3d896bbd40.filesusr.com/ugd/dadc92_740a188333574bc79b4b255e6b3cdaa6.pdf?index=trueIn PDF document text
    • https://19aaccd0-9772-41b6-85c4-be118606641a.filesusr.com/ugd/a12125_58f769c88ce540d190e4429014713bcf.pdf?index=trueIn PDF document text
    • https://a7474f5d-6ec7-41e4-954d-8cb0a6a0c5ec.filesusr.com/ugd/b987d2_7c6098859e6144e3b74c79f5b6ac2906.pdf?index=trueIn PDF document text
    • https://f18b8dc1-3ce9-44bd-8712-01435d039869.filesusr.com/ugd/b97cba_f0ed9b21060740efad9c93e6f85d4ff3.pdf?index=trueIn PDF document text
    • https://3b87a2b8-2d13-4e6d-acc4-cbba57692a59.filesusr.com/ugd/50988c_3b3a817dcf72414e820405fed5748e93.pdf?index=trueIn PDF document text
    • https://0a497e50-07dd-462d-832d-d8678f741a8e.filesusr.com/ugd/5f857b_21e0a6ce09504e44b2e12675cbbb251c.pdf?index=trueIn PDF document text
    • https://fb7bf4c5-056f-4058-a7d1-073478569b53.filesusr.com/ugd/d90490_ab05c1f800954af4a3c95ee541bfc73a.pdf?index=trueIn PDF document text
    • https://348ddb29-83e1-4812-94a1-743b72ef9b42.filesusr.com/ugd/23b571_19729d2bce1042b2b4b45736f0be7f1d.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011203.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11203 5760 bytes
SHA-256: 767613c6dbb058e6e8ec8b025254e65ed210e58273573e9c20a226607987888e
font_01_sfnt_off00012576.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12576 10888 bytes
SHA-256: 8b142622acd5452773904f4cf4416c6cd5069c7885d3019d92580c4edc14c1bf