Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc51c4bf9da89953…

MALICIOUS

PDF

84.9 KB Created: 2021-04-04 18:41:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 4de91c79c76df9a676215d2887837da9 SHA-1: 712d4b30d020fadbeba458e57a4a6770ca5727d9 SHA-256: cc51c4bf9da899534f3676553441ba4c6e0fd029f7f08382494a6a528730fed9
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=declaration+of+independence+scavenger+hunt+answers PDF link annotation
    • http://allieshouseofhope.com/83756309570ic4z9.pdfIn PDF document text
    • http://impergamon.com/nupipajixanesapegafeomdnx.pdfIn PDF document text
    • http://svoylend.xyz/quarto_de_despejo_download_gratiqi0s8.pdfIn PDF document text
    • http://fonivoguko.medianewsonline.com/air_pollution_and_control_notes.pdfIn PDF document text
    • http://best-store.club/pop_punk_road_trip_songsbsqkq.pdfIn PDF document text
    • http://xatovapotogu.mywebcommunity.org/basics_of_javascript_programming.pdfIn PDF document text
    • http://mmuuue.space/bigg_boss_3_tamil_promo_today8xs1u.pdfIn PDF document text
    • http://lazadacostumercenter.com/42964654062rmidy.pdfIn PDF document text
    • http://rubyshup.space/pilejawomebopemefimafjdkwd.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://101c3d73-5e22-4da1-a203-a3a2a794ce88.filesusr.com/ugd/69a512_fcfbcf37cd7f43d4a04018d0b99c6a44.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/42411722-ce38-4849-a422-e11f69d0f0be/zuvukuguxenufumezifija.pdfIn PDF document text
    • https://ab25a8b3-4d80-4d4b-93a1-c1347014fa7c.filesusr.com/ugd/8d0191_af52ffd6eb2d4905a8d6296752584701.pdf?index=trueIn PDF document text
    • https://574dee49-ee40-4737-ae02-340ce2b26f9d.filesusr.com/ugd/b44cf7_8b706291520a4effb1a37eb1e74c353a.pdf?index=trueIn PDF document text
    • http://sogivuwe.onlinewebshop.net/5237306308.pdfIn PDF document text
    • https://7f993087-45f6-41f4-96e5-9dcaca18fb91.filesusr.com/ugd/9a92dd_916a6955147643309479037575fc0dfe.pdf?index=trueIn PDF document text
    • https://e474413f-ff6d-4b46-a00c-d4c33541206b.filesusr.com/ugd/ddecc0_3089d71ef6754a328035370080efe099.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/a078eebe-9059-4283-bba4-9eb2bdaaadaa/the_art_of_color_johannes_itten_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bd3b2ba9-0b27-479e-8da1-aba35aafae52/craftsman_snow_blower_parts_diagram.pdfIn PDF document text
    • https://5a995288-ce6f-4ae3-a3e6-14272d8003db.filesusr.com/ugd/7be1cd_139cdb5d7e23482d87eeb9238b0168d9.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/77d8ef0f-7a4d-4626-b3c8-59540d23a056/juxokelakuvimekidasinutu.pdfIn PDF document text
    • https://2dc0326d-ac60-47d8-bf46-f2dc9d334570.filesusr.com/ugd/21b4a7_9aa150b4fa54443fb71a8325ea4f2157.pdf?index=trueIn PDF document text
    • https://6f81cef9-66a2-447d-9e1d-4c0427ef15c5.filesusr.com/ugd/4d935e_d13034e68dc14bfca024b950524475d5.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/b895d8ea-90c3-4257-b433-c4e6f5a65207/damazizefok.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010aee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10AEE 5568 bytes
SHA-256: 80167ce5fc5de8756272248eb30941d87054d558f601235a319fd1c1c5db5c6c
font_01_sfnt_off00011dfb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11DFB 11768 bytes
SHA-256: cc11b3eb969b5204192e5386b2280372fe2f76b3625cf3fcf60534e941f82db0