Malicious PDF — malware analysis report

Static analysis result for SHA-256 d38e941dc56da5d0…

MALICIOUS

PDF

91.2 KB Created: 2021-05-16 02:45:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 81a820d800b856f6a7d35c6a82a8edb7 SHA-1: 519a70479751f3337e698ac309ceeeb949d2286d SHA-256: d38e941dc56da5d0a66fef6c2ba9826547e472338ab743407d113579f9f3a1e5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ML classification and ClamAV, indicating malicious intent. It contains numerous external links, with one prominent URL pointing to a suspicious domain that appears to be part of a link farm or phishing operation. The document body, though heavily obfuscated, suggests a lure related to a product search term, likely to direct users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/strik?utm_term=troy+bilt+string+trimmer+head+removal PDF link annotation
    • http://vinograd.io/63920163139oz896.pdfIn PDF document text
    • http://usene.xyz/shadow_and_bone_netflix_trailer_deutschgsqx0.pdfIn PDF document text
    • http://edaruzal.xyz/free_organizational_chart_template_doc48b0x.pdfIn PDF document text
    • https://saletenabij.weebly.com/uploads/1/3/4/3/134339554/zomojuli-nepibetafud-fetofomemi.pdfIn PDF document text
    • https://cdn.sqhk.co/pozusonitid/jeecjf4/kisoju.pdfIn PDF document text
    • https://cdn.sqhk.co/xaselavub/crhijiV/79805662651.pdfIn PDF document text
    • https://mofalapew.weebly.com/uploads/1/3/4/3/134307760/famimifegapopu-fimelizugulamoj.pdfIn PDF document text
    • https://cdn.sqhk.co/fapewakuw/3gghiid/sevujibibizefem.pdfIn PDF document text
    • https://cdn.sqhk.co/segidexu/aDijii5/apprendre_le_business_development.pdfIn PDF document text
    • https://migobagola.weebly.com/uploads/1/3/4/8/134874333/4357478.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/jujadodedaruxix/manuale_italiano_panasonic_ag-_ux180.pdfIn PDF document text
    • https://s3.amazonaws.com/farokof/97144131289.pdfIn PDF document text
    • https://2571d5ef-7130-409a-b87d-c3fd18a83f30.filesusr.com/ugd/71fc55_83f08d75d8b84602a2f17863a4dac88b.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/zufaxepixiguxax/circular_motion_and_centripetal_force_worksheet.pdfIn PDF document text
    • https://s3.amazonaws.com/titugome/jedexipekuvexemok.pdfIn PDF document text
    • https://0dc5016f-38c0-4e11-84f4-4717e3ef4ec7.filesusr.com/ugd/4fd84c_81a3c060fd9342ddae01d0b80dbf9e61.pdf?index=trueIn PDF document text
    • https://8ab1a2d5-e5b1-44c5-a28c-e09959565f0d.filesusr.com/ugd/eb712c_ee416aa04e9a4c3db045323d73ed6b26.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/xapidajovaji/types_of_assessment_diagnostic_formative_and_summative.pdfIn PDF document text
    • https://s3.amazonaws.com/lunojol/hearthstone_legendary_crafting_guide_rise_of_shadows.pdfIn PDF document text
    • https://s3.amazonaws.com/resixexi/plasenta_previa_totalis_adalah.pdfIn PDF document text
    • https://s3.amazonaws.com/tokatefozude/jukejo.pdfIn PDF document text
    • https://s3.amazonaws.com/lunojol/sebutkan_47_proses_project_management.pdfIn PDF document text
    • https://s3.amazonaws.com/gimisorixosu/betisovix.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc18.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDC18 6416 bytes
SHA-256: 9e91590ae502ff902ba306624a00c8d44396a7ee9717b1bfa1717db63fe08483
font_01_sfnt_off0000ebeb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBEB 5488 bytes
SHA-256: 5d16789c7c5eab645e8e1f439252088b71cc7a517acc926727e844c51ec02532
font_02_sfnt_off0000fe6c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE6C 9360 bytes
SHA-256: 7ea12ccab607259eb9583d1e13b0b9ed836c2429f3b930effb6724f797d3cbdf
font_03_sfnt_off00011c57.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11C57 10608 bytes
SHA-256: 48bd10edfa8eefe930bf2d63cbc05c56ce03fc042f7969b4e64b9817ad714b01
font_04_sfnt_off000140bd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x140BD 16256 bytes
SHA-256: 0c28d55d9957e5be45f9d3302843a1d8772fc4e8a9a81ea04eed1b5cc2016f23
font_05_sfnt_off0001561a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1561A 1736 bytes
SHA-256: 5095ccdfdd328c3f25b1766e9c65bca58fa839170fcb9f3db3c20e130d955aff