Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb57f966222c6870…

MALICIOUS

PDF

81.8 KB Created: 2021-04-01 00:29:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 185774cae4bd26f499b11bf493cc4b51 SHA-1: 5b08d68ba3a34375f787f13f6c077e47ca60a2c9 SHA-256: cb57f966222c68704081b06f4570b6368ec76811307702d2622d8343c26cc6fa
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, with one heuristic specifically identifying it as a 'PDF_SEO_LINK_FARM'. The primary URL, 'https://soxebez.ru/123?utm_term=bucaneras+con+plataforma+elastizadas', is likely used for phishing or to host malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/123?utm_term=bucaneras+con+plataforma+elastizadas PDF link annotation
    • https://cdn.sqhk.co/zikegasenar/gXwkvif/crazy_meme_soundboard_2020_mod_apk.pdfIn PDF document text
    • http://vekvelo.ru/rca_tablet_dvd_combo_reseto7xuv.pdfIn PDF document text
    • https://cdn.sqhk.co/kusewupudin/giy5jcS/learn_english_grammar_step_by_step_youtube.pdfIn PDF document text
    • https://cdn.sqhk.co/sisadenev/ORjfMjb/dalelusobikazurebid.pdfIn PDF document text
    • http://videohost.space/keurig_owners_manual_descale4j35d.pdfIn PDF document text
    • http://italiabeach.space/nintex_workflow_update_created_bykx9oa.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/rokuwapesu/functions_of_bounded_deformation.pdfIn PDF document text
    • https://6f12065f-c45d-410c-b048-6ec23fb2b810.filesusr.com/ugd/02ccf7_eb3138dd17e34f77a02eee4be72d463b.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/jinotugiwomo/dizum.pdfIn PDF document text
    • https://s3.amazonaws.com/fuzafuzeruwit/88016210925.pdfIn PDF document text
    • https://7fe6b731-3703-45da-bcbe-faf39b4d3392.filesusr.com/ugd/880a7e_5683b54cb0f645928b2928c2373e921a.pdf?index=trueIn PDF document text
    • https://2a085669-a8dc-40eb-b1d3-71ea9d660f60.filesusr.com/ugd/cafc24_abf3bdb66c684506901971758ec02c34.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/551c564d-112b-42ea-a2e0-cc528acde641/black_box_thinking_meaning.pdfIn PDF document text
    • https://s3.amazonaws.com/dobikasukavu/jodogolezapo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5cbfc771-a75f-4f2c-80a7-b2b58d64de53/why_is_purple_my_favourite_colour.pdfIn PDF document text
    • https://2571d5ef-7130-409a-b87d-c3fd18a83f30.filesusr.com/ugd/71fc55_105b79fe3e4c412fb104945731196872.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/52b2496e-008f-4305-af73-c79bc415e0ae/how_many_calories_are_in_2_crunchy_tacos_from_taco_bell.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e64a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE64A 5400 bytes
SHA-256: 746ffff7e08e758a2e7d219c6bc2cda9a3c9f2daaf6c2295862babd8ef5536f8
font_01_sfnt_off0000f89b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF89B 12928 bytes
SHA-256: 2c7119cf382e45a2a9dbd69da503982256ccc7197bf7614a9bbe980e3eb5eba5
font_02_sfnt_off00012277.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12277 16204 bytes
SHA-256: 31aa257675234f953cb39254c73a0c002637764ec2691c470e0912636c3685cf