Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbaff1b8851de55c…

MALICIOUS

PDF

101.1 KB Created: 2021-03-10 01:45:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-02
MD5: 1d53f4be9767020786b8cf6d8fda57a3 SHA-1: 823c2dd96d5d9f0ba011e6ca8a26c3bdf151cb8d SHA-256: cbaff1b8851de55c6122d95ad1bc1c034580cd5420f5f3867b11043da8af1ed1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, many of which are likely part of a link farm designed to direct users to potentially malicious or unwanted content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution. While no scripts were explicitly extracted, the PDF structure and embedded URIs suggest an attempt to redirect users to external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/aws?utm_term=what+series+comes+after+the+kane+chronicles PDF link annotation
    • http://mobeditobaxul.scienceontheweb.net/what_are_the_different_roles_in_scrum_process.pdfIn PDF document text
    • http://bepelisufozasep.mywebcommunity.org/manual_de_primeros_auxilios_para_nios_de_preescolar.pdfIn PDF document text
    • http://wopexobow.mywebcommunity.org/how_to_fix_blue_yeti_mic_not_working.pdfIn PDF document text
    • http://nedavupagisezim.mygamesonline.org/sezujo.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://wenibeliso.atwebpages.com/what_makes_a_winner_quotes.pdfIn PDF document text
    • https://0a3c8164-ddd9-4522-8472-457ce31ece15.filesusr.com/ugd/d32f78_1790373dff30429d89df3a0c066bc591.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/davubewu/lamatuzumuwedizudefijoxez.pdfIn PDF document text
    • https://s3.amazonaws.com/ninazarila/praise_the_lord_song.pdfIn PDF document text
    • https://a4346b84-4611-49ab-b113-80c9188ca613.filesusr.com/ugd/078c79_e04539a3564d40f7b9f9ffcff9f1649a.pdf?index=trueIn PDF document text
    • https://37e0f79d-b0c1-4727-b76d-5b759c81288f.filesusr.com/ugd/9c66ff_9e614ce0348441c2841e06f20824af09.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/fuwuzerijofa/cdc_hep_a_vaccine_info_sheet.pdfIn PDF document text
    • https://s3.amazonaws.com/vitelitubovuluj/vaaste_song_mr_jatt_pagalworld.pdfIn PDF document text
    • https://s3.amazonaws.com/rozebofukixus/abundant_elements_on_earth_worksheet_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/xupizewuxere/thesis_defence_questions_and_answers.pdfIn PDF document text
    • https://f3b8d348-8566-49c9-a9f8-a2c3b9e1bc8e.filesusr.com/ugd/f1c748_dd06ec1bdb5345ebb87ea7d21db13e6e.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/jaxesabi/girl_guides_of_canada_calgary_registration.pdfIn PDF document text
    • https://s3.amazonaws.com/navoburarovada/sugem.pdfIn PDF document text
    • https://s3.amazonaws.com/wipotegadodorek/lijanad.pdfIn PDF document text
    • https://c7972686-9310-4d97-8ac3-15e828887225.filesusr.com/ugd/8a419d_c87ba9f332b44059be4a2661c92296a7.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/tunenijexe/hp_laserjet_p1006_printer_driver_for_windows_7.pdfIn PDF document text
    • https://7095e710-59ac-4d27-8a5a-f3bbcaf65deb.filesusr.com/ugd/418e76_69df7d1aae2647bc972d6ba8c6b2c4df.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000119a0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x119A0 4984 bytes
SHA-256: 44c6c6a7c2f0bc3510d77610c5316bcc46b5d5209928fbec900adc274d5c1628
font_01_sfnt_off00012a6c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12A6C 11424 bytes
SHA-256: 2b384b3ea2d019970c42905d71c475bbff1c09b28e5a033ce6f69641005c248f
font_02_sfnt_off000151fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x151FD 16632 bytes
SHA-256: c50702d4acfbab276db04c5221898060464ebd298806f96ba401251afed68d5e
font_03_sfnt_off0001690f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1690F 4324 bytes
SHA-256: 4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3
font_04_sfnt_off000176d0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x176D0 6084 bytes
SHA-256: 5c86a376815d6f0efe6cbb93564a647c509e09040777fb1c2d4e15ff73d7b350