Malicious PDF — malware analysis report

Static analysis result for SHA-256 d34ab4481fad25eb…

MALICIOUS

PDF

96.9 KB Created: 2021-05-03 14:41:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: ee67f45e029c82d8175e3e1b657fb297 SHA-1: 767c0524bc0a8a10edb49ff0caee8671a8394725 SHA-256: d34ab4481fad25eb76389d67ec715d2773e170cdef182755fc7c0ed1732e9b83
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious. It contains an embedded URI pointing to 'https://leonvi.ru/strik?utm_term=quran+only+urdu+translation+audio+mp3', which is likely a phishing or malware distribution lure. The PDF structure also indicates it's part of a link farm on disposable hosting, further suggesting malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=quran+only+urdu+translation+audio+mp3 PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4405641/normal_606dde759f14d.pdfIn PDF document text
    • https://cdn.sqhk.co/tumupowe/UhfHNY4/adobe_photoshop_cs2_brush_free.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379603/normal_605af1c07c944.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470961/normal_6068be26939ee.pdfIn PDF document text
    • https://cdn.sqhk.co/dekavaka/f8UoOgc/xfinity_stream_on_firestick_error.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4468827/normal_60209807e3ef7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380694/normal_601ecb7f38bac.pdfIn PDF document text
    • http://bumosid.getenjoyment.net/18984368823.pdfIn PDF document text
    • http://xuxikurov.mygamesonline.org/arthritis_back_exercises.pdfIn PDF document text
    • https://cdn.sqhk.co/gadukupuwe/mYieVoG/cinema_uae_coming_soon.pdfIn PDF document text
    • https://cdn.sqhk.co/wexovezojab/je0nja0/radio_italia_online_gratis.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://2daccc73-8708-4113-a26a-4f38906335d9.filesusr.com/ugd/f65175_1533185685294b6c88886a9529f51126.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/f07d2008-d7a4-47fb-8e6e-6b04f83952e3/75850995013.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c92c5ccf-3fcb-4389-b66f-2d7315ef025e/bunn_tea_brewer_troubleshooting.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/da97bc65-d67f-40d8-8e9a-e6bc9e8baa8c/dope_inc_wikipedia.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/51fbbc01-0729-476f-b89f-21dc0a30f8cd/delta_universal_miter_saw_planer_stand_manual.pdfIn PDF document text
    • http://sanojepenot.onlinewebshop.net/94341526020.pdfIn PDF document text
    • https://e21f0dd0-e693-4a2a-aa38-6cab66162128.filesusr.com/ugd/34eed6_141026f99de84e29b96b4fb0f9675084.pdf?index=trueIn PDF document text
    • https://ebba3e40-d49f-4cc8-b137-373bb1124918.filesusr.com/ugd/384ea4_8c64e5ec0b414b5c9b3a92f0b7cef3df.pdf?index=trueIn PDF document text
    • https://d451e762-8e00-4155-9971-9512d28d2528.filesusr.com/ugd/b52961_a12e872237654709b4826c58cd4b8223.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off000136d7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x136D7 23308 bytes
SHA-256: a6298824eef22350bbad42f11c677e8186431d60d2ee3926a3da29f459ff30d3
font_00_sfnt_off0000f427.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF427 5432 bytes
SHA-256: 6c1647b0ccf31f35e75db2e8f24023e9cab4f552cceb5e4566b64fc192b2ced8
font_01_sfnt_off00010684.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10684 2140 bytes
SHA-256: 3eadf3ff1ae85f7a2dd8be852d633ca148c1d24200a16cbd4325889adc5789c4
font_02_sfnt_off0001105e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1105E 11200 bytes
SHA-256: f1edd70705184f55c31bef3d34702d39200d4bc6ca6675f9d4789964a81d2763
font_04_sfnt_off00015eed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15EED 6232 bytes
SHA-256: f4d2f293db8b304ebd2ab98b84466a183b5eb69e855c5f15d58e5743bf0fb729