Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce8c56612ca87f15…

MALICIOUS

PDF

109.5 KB Created: 2021-04-07 09:45:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: e992b9309427124e19a09f2a0ffa4b3f SHA-1: da45a5663c50bfcfe92fc7636bb44c9f4bdd97d8 SHA-256: ce8c56612ca87f15fb33dd138c79c1325617a5c15042902b0f470fb000e7a607
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/123?utm_term=2.+0+movie+tamil++in+tamilrockers+isaimini PDF link annotation
    • https://cdn.sqhk.co/jabisopomuxo/s4EicD5/ruwomenowotola.pdfIn PDF document text
    • http://mofobawosenej.mygamesonline.org/catalyst_characterization_techniques.pdfIn PDF document text
    • http://wepisoja.mypressonline.com/dopamine_drug.pdfIn PDF document text
    • http://zolepop.mypressonline.com/pdf_to_word_converter_free_download_online.pdfIn PDF document text
    • http://mibejar.sportsontheweb.net/17325879699.pdfIn PDF document text
    • http://xufuzema.sportsontheweb.net/jamiwipozatinobamifemupe.pdfIn PDF document text
    • http://duzegotola.medianewsonline.com/7421364237.pdfIn PDF document text
    • https://cdn.sqhk.co/bebumila/pSjbjcg/android_x86_32_bit_iso.pdfIn PDF document text
    • http://znasila.ru/euro_truck_simulator_2_activation_code_keygene31yg.pdfIn PDF document text
    • https://cdn.sqhk.co/pugirunosamo/ggdvje0/10842299866.pdfIn PDF document text
    • https://cdn.sqhk.co/jubawiwa/shidgi3/jisiloxiwolifisasub.pdfIn PDF document text
    • http://smartcoin.design/b_cn_ngha_l_gv187j.pdfIn PDF document text
    • http://wgathering.org/gta_5_premium_online_edition_ps4_gameplaybm4fh.pdfIn PDF document text
    • http://ejqy.com/botigupagetopibam8ogyb.pdfIn PDF document text
    • http://tejasatobes.medianewsonline.com/types_of_lighting_used_in_horror_films.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://s3.amazonaws.com/suzixegazunow/15985932872.pdfIn PDF document text
    • http://jamenajiko.myartsonline.com/45421819389.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b4ce2eb0-1149-4a5c-ac53-36cf364afe25/hp_c3180_paper_feed_problem.pdfIn PDF document text
    • https://s3.amazonaws.com/filidabut/client_billing_explorer_deskpro8_vista7_2010.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a5c8bf0b-19a6-4910-a384-231baf25c753/nanazefixufipekabirudi.pdfIn PDF document text
    • https://s3.amazonaws.com/bolovopizonuki/cheppave_chirugali_movie_video_songs.pdfIn PDF document text
    • https://s3.amazonaws.com/baxunaf/bukhari_shareef_urdu_translation_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ce385521-da8b-4172-84d7-b630f6dd031d/zubizinipajisodifodepugu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ac1bfa0e-daba-41c0-944a-2ed5129d904b/buzabemefidefubiwo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015652.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15652 5280 bytes
SHA-256: 1ae849c44aaef7311ecd7a710eafae4ea33f283cb8d232c2cd669ca72a92b0ff
font_01_sfnt_off0001683e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1683E 13432 bytes
SHA-256: bb005bbb10ebdc07113d58b0e848c887f8e487c444233529d3fec37c99a4cb0e
font_02_sfnt_off0001943e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1943E 5304 bytes
SHA-256: eae09c22be3e954dbf19827b6cc76d19a31ffb5240f7210c134f0dba56411a40