Malicious PDF — malware analysis report

Static analysis result for SHA-256 c53a6fc0d68ce529…

MALICIOUS

PDF

74.9 KB Created: 2021-06-03 08:00:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 2bd5a083202a56338adfd46964518f59 SHA-1: 53f4cd2fb9512b4d8242e53f9a90f9620090ded9 SHA-256: c53a6fc0d68ce529fa01306dde1bff0af169984077c2650535aa136f78309023
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it's a link farm on disposable hosting, with a high ML score and ClamAV detection confirming maliciousness. The embedded URL https://gimoguvi.ru/123?utm_term=reformed+churches+of+god+in+christ+international is the primary IOC, suggesting a phishing or malware distribution attempt. No scripts were extracted, but the PDF structure itself is indicative of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/123?utm_term=reformed+churches+of+god+in+christ+international PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4499002/normal_5fd348522375f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4460972/normal_6051c2f718c93.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://ruwomodanom.pbworks.com/w/file/fetch/144446436/how_to_get_a_serology_test_in_bc.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/85d60de0-569e-499c-af51-0a133ed46abf/47558212936.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dda86139-cc04-4e35-b7bd-9b46a5c3d487/arduino_uno_r3_schematic_proteus.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/30207751-e498-4d6d-ae08-a5f048ee5db2/snapper_826_snowblower_parts_diagram.pdfIn PDF document text
    • http://veweran.pbworks.com/f/bujoju.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ca049e53-0ec2-4e9c-8780-2132017dd631/types_of_special_needs.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad060337-56ec-4f65-a24f-492262006e8e/concise_introduction_to_tonal_harmony_workbook_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6080d014-ea83-4fe8-ae07-80f4137fc1d4/preisendanz_papyri_graecae_magicae.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/11394148-65a8-4a11-b608-986547d947d6/wh_questions_worksheets_for_grade_2.pdfIn PDF document text
    • http://sutodoromar.pbworks.com/w/file/fetch/144516111/how_to_play_zombies_online_with_2_players.pdfIn PDF document text
    • http://midevodimu.pbworks.com/f/pokemon_brick_bronze_uncopylocked_8th_gym_roblox.pdfIn PDF document text
    • http://noxixap.pbworks.com/w/file/fetch/144425994/descargar_cambridge_advanced_learners_dictionary_3rd_edition_gratis.pdfIn PDF document text
    • http://wixugigir.pbworks.com/w/file/fetch/144459324/is_signature_forgery_a_crime.pdfIn PDF document text
    • http://supijexed.pbworks.com/f/how_to_make_the_nickelodeon_slime.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d7ba3237-750b-4617-8eba-fdb50e2be9f9/hack_pubg_mobile_lite_0.20.0.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5fce7521-74cb-45b9-994c-9c4dd4569eb8/88092369342.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f4fc3401-3c45-4047-811d-82b65ad129a6/baby_g_watches_australia_afterpay.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/05e5e3b9-674c-4e13-9080-6f741b5f38d1/frigidaire_gallery_refrigerator_repair_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6b3a4723-30cd-407b-8718-3750bd515f34/84965331400.pdfIn PDF document text
    • http://lekipirunezi.pbworks.com/w/file/fetch/144414402/joderugumodomodibijowi.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e7e9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE7E9 5444 bytes
SHA-256: 0da7ee90d5af190bbfc50bf6e58f5ae28e98f1ab0b46e263bb87db9d7e40aa91
font_01_sfnt_off0000fa48.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA48 10520 bytes
SHA-256: 258cc9b6cbf1bdd5c427af473784d1a29961ec8a411aba21787da56bc80eca1b