Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbacd4044858055c…

MALICIOUS

PDF

72.9 KB Created: 2021-06-08 08:48:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 1c6f50f41edee991a7a9fcdc93a53a6d SHA-1: a8ed35a33adcaf8d050bcd5137f4de99711ad831 SHA-256: cbacd4044858055c01652baca91cfa99ccff6ea6cbad79693b09f457b40812da
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which are designed to appear as search results for popular content, acting as a link farm. One critical heuristic identified a repeated payload link to 'chcial.ru', suggesting an attempt to redirect users to malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/pbw?utm_term=chal+mera+putt+2+full+movie+download+ok+okjatt.com In PDF document text
    • https://cdn-cms.f-static.net/uploads/4527108/normal_6011558eaf210.pdfIn PDF document text
    • https://tivexafo.weebly.com/uploads/1/3/4/3/134348633/xaxuv.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4450003/normal_5ffdd6a32a19b.pdfIn PDF document text
    • https://dalenorilesa.weebly.com/uploads/1/3/4/8/134858788/df00052338f8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377908/normal_605f6bc176b9c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4418001/normal_603e0fbb449b1.pdfIn PDF document text
    • https://merasata.weebly.com/uploads/1/3/1/3/131378960/xexap_romefibi_fuzogisan.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380536/normal_6039a8de5acfb.pdfIn PDF document text
    • https://toxoxazagole.weebly.com/uploads/1/3/0/9/130969938/kogujawinoridulidor.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411228/normal_60beb06486cae.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/067d6b5d-4ecf-498f-925d-7e22831023ad/1551269658.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e3f71d4e-ab8b-4cfe-89cf-897c66187b54/how_does_certified_mail_work_usps.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dfdc3fca-d21f-4941-861d-87e9226dd5ec/does_amazon_echo_work_with_logitech_harmony.pdfIn PDF document text
    • http://rubepikonot.pbworks.com/f/nabig.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de197f2e-2e6e-42fd-93e5-28da1d1484ee/where_is_the_water_filter_reset_button_on_samsung_fridge.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/148a19ed-87a1-4ee4-a894-3c277a724d10/what_army_regulation_covers_mdmp.pdfIn PDF document text
    • http://kusarolox.pbworks.com/f/la_seora_fazilet_y_sus_hijas_captulo_final_completo_en_espaol.pdfIn PDF document text
    • http://rutarotovez.pbworks.com/w/file/fetch/144645969/livro_direito_empresarial_esquematizado.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cf718b63-9116-462b-a360-c86e66b64cdf/keurig_model_b40_manual.pdfIn PDF document text
    • http://lipovosufuk.pbworks.com/w/file/fetch/144836541/vaporeta_unitekno_703_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/81548315-4cc5-415a-ad56-126ae12e11a4/sopexizitotexewagorubeve.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df30.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF30 5580 bytes
SHA-256: 6d31790719b0e352c08966185516a8dda085493c9efabb8b5347df6a92cb9ed4
font_01_sfnt_off0000f21c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF21C 10040 bytes
SHA-256: 079fb46958b7b9bdad17d9e2c8281d9b8caef4a734781015b59b58c109f27e5a