Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7870ba93c893d41…

MALICIOUS

PDF

81.8 KB Created: 2021-03-30 10:05:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: 6c19d2e6f0a0e99c41891fb2fc6c2226 SHA-1: 2a2c7a8bb3543b6df19ebf7762b117c1238d71f6 SHA-256: c7870ba93c893d41ba7cc8157c690ffadffa963a929407d50d28d85b54e865ea
226 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file contains an embedded JavaScript payload, identified by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristic. The ML classifier and ClamAV detection strongly indicate maliciousness. The embedded script likely downloads and executes a second-stage payload from one of the numerous URLs found within the document, such as 'https://dugedepap.ru/123?utm_term=5.+1+audio+songs+free++english'. The presence of 'powershell.pdf' in the document text suggests potential command execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/123?utm_term=5.+1+audio+songs+free++english PDF link annotation
    • https://cdn.sqhk.co/xoxujagemo/e7a5jfq/4th_grade_multiplication_worksheets_with_answers.pdfIn PDF document text
    • https://cdn.sqhk.co/raxinosi/UhfheqJ/lukeworenepele.pdfIn PDF document text
    • https://cdn.sqhk.co/jukowejazus/gioidrP/rulorugulagelute.pdfIn PDF document text
    • http://smcjd.com/how_to_reset_casio_calculator_fx-9860giiitlj8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380088/normal_6025fd2982aec.pdfIn PDF document text
    • http://tamodemuror.getenjoyment.net/68063639504.pdfIn PDF document text
    • http://help-copyrightservice.xyz/barn_burning_social_class_themekvqqc.pdfIn PDF document text
    • http://fimewot.xyz/padi_open_water_certification_tulum8phx2.pdfIn PDF document text
    • http://rapoxarawiwalo.sportsontheweb.net/zend_avesta_fechner.pdfIn PDF document text
    • http://bulakirip.getenjoyment.net/what_is_the_best_gas_mask_filter.pdfIn macro / runtime command snippet
    • http://wuduwoguto.22web.org/48455215647.pdfIn macro / runtime command snippet
    • https://cdn-cms.f-static.net/uploads/4472506/normal_5fd995cc5ce53.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470385/normal_601ddaab50d62.pdfIn PDF document text
    • https://cdn.sqhk.co/gijimexuv/oCyggbK/wulufikexad.pdfIn PDF document text
    • http://goldotzyv.ru/dedarabadogapuruxehmsdo.pdfIn PDF document text
    • https://cdn.sqhk.co/mijajijem/pPgg3jj/soturazedunazetev.pdfIn PDF document text
    • http://rapoxarawiwalo.sportsontheweb.net/zendIn macro / runtime command snippet
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://dokudaruriwiv.atwebpages.com/lokosarozuba.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a5f2b51f-d909-4593-8a55-8c58eb3f6ca5/yamaha_ef3000iseb_generator_battery_replacement.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2ac285ed-8d39-4130-9d84-f231a6a77fbf/what_are_the_five_elements_of_narrative_identified_by_this_chapter.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ab01336-5adc-45a8-82c8-2e4310df1d24/crosley_record_player_turntable_not_spinning.pdfIn PDF document text
    • http://kovemipenege.rf.gd/azure_ad_connect_powershell.pdfIn PDF document text
    • http://fimamuvumurepu.rf.gd/dodopisidudesupijinuwexa.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_000098f8.bin pdf-embedded-script PDF decompressed stream script payload at offset 0x98F8 83754 bytes
SHA-256: 03d59d24515634bc3eb126c67159b4fa198f64adf789d4421ae330ed18d7d71c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
%PDF-1.4
1 0 obj
<<
/Title (�� 5 .   1   a u d i o   s o n g s   f r e e   e n g l i s h)
/Creator (�� w k h t m l t o p d f   0 . 1 2 . 5)
/Producer (�� Q t   4 . 8 . 7)
/CreationDate (D:20210330100507+03'00')
>>
endobj
3 0 obj
<<
/Type /ExtGState
/SA true
/SM 0.02
/ca 1.0
/CA 1.0
/AIS false
/SMask /None>>
endobj
4 0 obj
[/Pattern /DeviceRGB]
endobj
6 0 obj
<<
/Type /XObject
/Subtype /Image
/Width 625
/Height 155
/BitsPerComponent 8
/ColorSpace /DeviceRGB
/Length 7 0 R
/Filter /DCTDecode
>>
stream
����  JFIF     K K  �� C                                    	 	  
   


      	  
      �� C                                                                 ��    � q  "       ��                            	
 �� �                }        !1A  Qa "q 2��� #B�� R��$3br�	
     %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������                            	
 �� �                w       !1  AQ aq "2�  B����	#3R� br�
 $4�%�    &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������          ? ���m�{�&������r#�J� * Ѵ  ��_�:��{�.Y� �  �? 0���� �&h� i�"(f� �����?�ں bܬI%C � ? ~>� ֦r\�������ͷ�  �Y
��a��R3� �2��g�ӥ�G� �NL/-��p <����ҺO)ep �  zu���ߥ+"�	*r�-�1Ͽ��OK���m�}�4� |8?t4������~Q�7z ��X~ xq3�M�i�#ΐ�� �Ȯ�^@Y��\�<g���� �Q� �ٿ� $��ҕ�������'��
+2�8( vո��$�n�~� � �;"/�K��
���� �g :� �t�߼�Y���3׏�i��`c?7 d ����)��K嗹� [ ���  �D M8 � 3ɒ2y��|� �� �E��0d�U�99��h<����?*�ʇ���  A�� ��0 ��eE # ��Ͻ(��s������u9��?��  �c� �s�� n� �)�� ����٫�:��  � � WH ������8� ��"�D,�s( ���I�� ���OBSii����� >`� ��1o�̰��\��Rǭ#� �ٔnӓp d�JXc������ �X ��q� ��~��|�d 1E88� � ��h��] h�&�# �Oa�|��8�C�rqǯ�'�*_ 
�i�ws�M(�8�����מk�'q .  O ��4ȑ �@
� �N�� ��F�F��h��C�� �=ᶈ ���  .%������/�*? �2�-z��� ��ףt�x��;d � ��� 9'�_��D��gGp�aʀ� rz�={� ��h ��[��ls | ��� � e��8
�2`�x8
� >���G��  ���� ��GC�t�+�S�; $�z �G ��ڐ*ʥ�	#i!� =��� �� �Q]�$��= f?�^ y@�� 0'�|����(�/�ԘH�x�� 7 � ��ߥt�<�;�� �O�w�M���  S�I� � W��G��o������_�����&�Y�� �R�X�� b��A��� Ls�J��R ����>� �O4p vb ��  �  1K
� zax �G�h� o�?�o�~ 2�	<8�  C ��ĨH���~ <R��� ���Yz`��N?��� ׮�:��N���� s��� i�U����H_�� ���C [n������� ��g�;q\�	� ���  �?��
�����ų�s)��o��}Nzy��U\ ��\�H�Ӝr?JV I � �3 ����B}A���9��S� M��..��>g� =���� j� �� �o	�3I�#?�z���� A  � 'oN��g��֕���#,���8�}�  ��iX ��������� �R�n�  aR7,G�$ <�~o� ^?5? �; [[O  . Ҝ�߆�� ���
mq���8<�����S aDl�n ����O��ڝ�9�h��� �|%�'Q��  � yx ��� � �O�> ���<�c�EԤ8#�;�9� <�L s��e�{  �� �M��X���{q���c�ZVЧ&ڻ����g5� 
o�e6�(a����B� �cw���~ �r ZE��yO-�� 9' ��>f��⺔%ٰWg^��_��D� |�� ���'�H��k�J�s H���� �#UI4�$�4�(��o_��J� |4� �Cu \J� ����  7 �I�'׏�Jߺ#� unNy�?^�� I�n��� �> �  p���y7�%� �M_�� ۺ=;b��@�S� ������) ��Y y ��  �4��� 9 �
 �ۯ�~Tɽ���[��9Y� xuX!ә� ��ę\c�K ����S/�_ ��NQ��}�Jw` 9-���] =v�#�#����s�Q�c��\�z �� ۊ �aG�K�>����s �s�v�U4҉�� �U��ὅ+| ���Bt�L60���S� ��]AB�Va�
p O ���4+�PI9$����}~�~c�Z=���� �'���� G��M&1� �� �F�	<= ����L�a�� 9�~�   ~8 ���� 
�
ۉ � z�� ��ùJ����� ��~���҅be)ovs�� Î� �����!#$�!��y�~ �t �N ��ϟ/<䓗� /z�
ϕ%� �8�*���1��  <c���- Wv��� �Oxq F4��|���(�R9��)"�=�՗rةUU��2���0 ��w���6 ��8����l�@P �n3��=�z�ҀzY����� ��"���� ���` ̘�� ������  � �K�C|�  玘 ���Mtw �m�Pm9��� � ��Jȑ6��	bā߁�? i�f�/��� ^�6> �~\��z�X�a,� �>� \~x=)e�K� .�%�%�k�N0s�� ��� !�n�p06����߳��� +�]��� Z� �ڲ��������K��ɳOee�#	�\ C�u翯�0� ��l��
� ��l   ���� ׮��Z�R���� 
G=  �+�  �`�;`c��j �.M�� _�9�� xz,7�i]ʨ�g�� G;� =�����I:v����!f� d��:�@�o+�TDIb3��s��O� �&g T�$  0�#�;��Z�T&�e+[� �s�? �>�)k H��q&y��}x��(�E�1+��UF@� I� s��9�a�t�3�y8䞙� 8� f �0��O�� u��
 
�.�4� �8�n[ � gΐ��3����� �� *2�4 	a��Nz���s�zt�Jp>�R8���*9. Q�Hb��� } ?O� � � �9��O��!p�x���Ą)��X�~� � �6�<zpv �e��2p�F~�WP�A<��G$� �J l�)�v�   ���~�$�M�N���	���wÞq٦ ��� �Hws�r��� ��� ������ = � ������ ���  � �>| {� ��ҹgLyl���2s�S�E����~{��|$��*@�Y���̬q��n�@�� �� V��#��4�|�c  ����޺t�  *�G  1���R� ĕ`O� ���F�[+� _��T� ��1ӗ$����  ?�鞣�j � �� �Å�6.����z|��?�x�� ���� �P6��{� Jtj�[q$  �< ���M��6���X��� � vSb����\��  =��T��熂m�N�n:4�t�9���+�*�))�g�8��ӎx'?�+H J��d� ^O?N3��: ���[��� B�9B�,O�$ʌ���Ӈ�  �T�1��t��#���� �t�q 
��  pI��A�g� ��������po���&�E����n ?������� �� �O��*ç�.
... (truncated)
font_00_sfnt_off00010267.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10267 5284 bytes
SHA-256: dba30dbd8c4a95561ff1be5d16df68e0a7372b9444f09f961fde029d0296f15c
font_01_sfnt_off00011461.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11461 11044 bytes
SHA-256: 5c1c5de03c597d8e6d36a020744b9a0db6baec49b04c1267543d85b0aad535ed

Open this report in the interactive analyzer, or submit your own file for analysis.