Malicious PDF — malware analysis report

Static analysis result for SHA-256 cab564d20633f5f1…

MALICIOUS

PDF

77.9 KB Created: 2021-04-03 19:37:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 956e5ffd711a63dfe36ab9877c300a52 SHA-1: 779b7888511de30da5b8a090824bda7d4d24a788 SHA-256: cab564d20633f5f156d1fecf6ba84836d155887388396d8c384a414307109aa7
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF contains embedded JavaScript and a large number of external links, many pointing to disposable hosting. The primary heuristic firings indicate this is a link farm designed to redirect users, likely for phishing or SEO spam. The embedded JavaScript may be used to facilitate the redirection or exploit PDF vulnerabilities.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=how+many+calories+in+a+large+firehouse+sub
    • https://zisaneviz.weebly.com/uploads/1/3/4/3/134319132/gejejexena-dokigotos-subujewaz-buwijeji.pdf
    • https://jakineporop.weebly.com/uploads/1/3/5/3/135302356/zitujijigo.pdf
    • https://tirotulesi.weebly.com/uploads/1/3/4/8/134849952/70af61.pdf
    • https://dolunejasuvufa.weebly.com/uploads/1/3/0/7/130776008/056903951df2d.pdf
    • https://lavovozanu.weebly.com/uploads/1/3/0/7/130739022/vofisazize.pdf
    • https://vuwarudud.weebly.com/uploads/1/3/5/3/135314702/f9e0bd627eb4.pdf
    • https://nunavataregexo.weebly.com/uploads/1/3/0/7/130775742/7ff163fe.pdf
    • https://tefuvorarap.weebly.com/uploads/1/3/2/6/132682785/favozadepekunepi.pdf
    • https://retixuzekuzexaw.weebly.com/uploads/1/3/4/3/134375726/9589878.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://tivemuga.rf.gd/you_are_the_universe_in_ecstatic_motion_quotes.pdf
    • https://f89b8795-a90f-4359-81e0-6309601a98d9.filesusr.com/ugd/8e7730_36b388e4a47144898d772d9039bf03c7.pdf?index=true
    • https://571cbd0a-ba82-408d-be6d-2df53a8fcfe5.filesusr.com/ugd/02af14_4f2c662575fc402b83dd4faf921073c3.pdf?index=true
    • https://19eae752-0dc2-40b2-988a-3ead9c543f91.filesusr.com/ugd/dee0a8_abbc810b4ee44f4dbf7a17eae258849d.pdf?index=true
    • http://dalizavok.rf.gd/chammak_challo_video_hd_song.pdf
    • https://8f1c0ae7-1ba6-4c51-a623-4d29f5e3aebb.filesusr.com/ugd/c1615c_84b6edf7fae74dc9a7b7f88c6800c7ab.pdf?index=true
    • http://judafigot.rf.gd/lotiregerezeso.pdf
    • http://taxifegizuni.epizy.com/93614344132.pdf
    • http://zogirifo.epizy.com/4245862514.pdf
    • https://6552665f-f3ce-4070-9f47-7b493df4570a.filesusr.com/ugd/3d88c7_1192ca5c705743f09064cbb6a3be0fe5.pdf?index=true
    • http://ravitog.rf.gd/80375413768.pdf
    • https://cf176ec6-4820-456b-adf9-61e5f06c968f.filesusr.com/ugd/43d598_ff5c25ec89a44eb9a536362c45dfff4b.pdf?index=true
    • http://zebivavube.epizy.com/basketball_plays_names.pdf
    • https://d7e981a8-8c4a-445e-aef0-60d3d4911bd2.filesusr.com/ugd/65d69c_9ce40305128f41f0bf547549a8c21e45.pdf?index=true
    • http://veluvuwipigunuw.rf.gd/giwulolaliwigenali.pdf
    • https://4123e755-5e7e-4fb8-b167-49ba90d37259.filesusr.com/ugd/fd3290_2ad2f6d18f5c46f98deb33934c3e3b8a.pdf?index=true
    • http://tuwelifijija.rf.gd/gigadixixekufumilule.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f131.bin
4f66e12b704df90ad83088a82031205698bca9a7c1656080ea664445079fa495		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF131 5592 bytes
font_01_sfnt_off0001041f.bin
f4a44249643d7b4595f74ad9b0db476267ebc6d674442c63f78bc46ece5091a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1041F 11060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.