Malicious PDF — malware analysis report

Static analysis result for SHA-256 c789e5973684016e…

MALICIOUS

PDF

79.7 KB Created: 2021-03-18 19:19:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1b15ae697740d00bf967756ea90ef20 SHA-1: 7649c92c2361c09520c7428067e9e30a5541a63d SHA-256: c789e5973684016e57c0a7accaddf45d671f080825055a8ae55a3224ccc7cdea
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is a link farm on disposable hosting, with a high ML score and ClamAV detection as a phishing trojan. The embedded URL points to a domain that appears to be used for distributing malware or phishing content, disguised as a game download. No scripts were extracted, but the overall structure and URL suggest a phishing attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/123?utm_term=counter+strike++1.+6+original
    • https://cdn-cms.f-static.net/uploads/4470016/normal_603bb926eab22.pdf
    • https://static.s123-cdn-static.com/uploads/4469145/normal_5fdd34e31983c.pdf
    • https://cdn.sqhk.co/lizasizova/lgiic69/realm_grinder_research_tree.pdf
    • https://cdn.sqhk.co/vigesiji/Liiidhg/zaxiwizapexewajix.pdf
    • https://static.s123-cdn-static.com/uploads/4385415/normal_60082b5ddea08.pdf
    • https://cdn-cms.f-static.net/uploads/4496571/normal_601aa416da17f.pdf
    • https://cdn.sqhk.co/pipezifiwip/Criarko/50801971903.pdf
    • https://cdn.sqhk.co/xewiliwilax/hfaYaZY/free_casino_slots_games_download_for_pc.pdf
    • https://cdn-cms.f-static.net/uploads/4404741/normal_602f0d50c617f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f9c380c0-3c9a-404e-8c76-a924832b335c.filesusr.com/ugd/9c8fb9_0a6cd87384764b2abb1a862ea925b70c.pdf?index=true
    • https://s3.amazonaws.com/woxorojero/buvemoturasasen.pdf
    • https://3c4962d9-41f7-4f14-8396-dad57cc8de20.filesusr.com/ugd/a2de88_dc71da07611d44d68faea440d7b9bf49.pdf?index=true
    • https://uploads.strikinglycdn.com/files/12925dcd-99b2-4082-aebe-c238879f30e4/operating_life_vs_mtbf.pdf
    • https://12c48f50-3553-44c7-a31c-19fc5df83d07.filesusr.com/ugd/7e0eb0_dda07076d3de4cdf8db66a4e99620b8e.pdf?index=true
    • https://s3.amazonaws.com/ritoma/easy_mac_ayres_piano_sheet.pdf
    • https://uploads.strikinglycdn.com/files/0fbd2680-230a-4497-a5de-147f94b9f936/what_is_the_best_vibration_exercise_machine_to_buy.pdf
    • https://uploads.strikinglycdn.com/files/afdb6ab4-7d9e-4ec0-b142-13f9126163de/don_juan_demarco_streaming_online.pdf
    • https://s3.amazonaws.com/jozaponi/alcoholic_liver_disease_aasld_practice_guidelines.pdf
    • https://uploads.strikinglycdn.com/files/d8237c88-ac44-40af-82e7-bccef43a0a7e/58779626536.pdf
    • https://944bcc21-9f45-42c2-9889-8cf837fa5d1c.filesusr.com/ugd/50f869_53039dcdeb284c2897ca2f64f53f0216.pdf?index=true
    • https://0df6220b-9630-4647-aab6-0d9db69b9d59.filesusr.com/ugd/8b97dd_3a62861614a2487e880b718457a170ea.pdf?index=true
    • https://edb7bb8d-792a-4213-93ec-7f573d37cc74.filesusr.com/ugd/bfd504_065cc0a44f3a46ee8616da45da111c4f.pdf?index=true
    • https://s3.amazonaws.com/siwixomudit/betozagonuzadagef.pdf
    • https://14864a69-2465-45da-a912-c6f78a3f99b9.filesusr.com/ugd/409ca8_66f880b81d174c8391ba19970d07161b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/eb6a7b34-6d0c-4937-8f3b-9bd53c34a19f/sofomusegubujosigifes.pdf
    • https://s3.amazonaws.com/zuguvoxoki/nugunozo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb5e.bin
95ba5fb8b2ed9a4794e63afbc004ba816ea169030e7f0a796a97e50ab1f4bac3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB5E 5060 bytes
font_01_sfnt_off00010cb4.bin
d3e44eac17eecbd613d0a429888dc07f7c41fe718bffb72151179ccb4999f71d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CB4 10684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.