Malicious PDF — malware analysis report

Static analysis result for SHA-256 d408c138dc857cbf…

MALICIOUS

PDF

78.0 KB Created: 2021-03-21 20:57:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a046d27035e621a86f7823c9e1ab1035 SHA-1: 4a0d95e97d842be0a0bace0d9121560ffb7541f0 SHA-256: d408c138dc857cbfd7edb4b0a5fb052eb7bf66d3efbf4a0aff07814ada60b66c
136 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous external links, a common tactic for SEO poisoning or link farming. Crucially, it includes a 'Clipboard command execution lure' heuristic, indicating the document instructs users to copy and paste content into a command-line interface. This strongly suggests an attempt to trick the user into executing malicious commands, likely to download and run a second-stage payload. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=list+of+abbreviations+in+computer+pdf
    • https://cdn-cms.f-static.net/uploads/4474992/normal_604d2a7cbfe6b.pdf
    • http://aov.one/ftl_zoltan_ship_unlock_guidebxhch.pdf
    • https://static.s123-cdn-static.com/uploads/4481282/normal_5ffb07c417ee6.pdf
    • http://freds.space/bogumomonosemejebapuru4ovmi.pdf
    • https://cdn-cms.f-static.net/uploads/4501991/normal_5fe9d0fb61cab.pdf
    • http://dresdenpharma.ru/anushka_sharma_breakup_song7k4m7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5e303b9a-442b-40e6-8693-cad854b2c287/the_possibility_of_evil_worksheet_answers.pdf
    • https://9534cc33-30dc-483d-bed2-8d5691710d48.filesusr.com/ugd/3835dd_5be47bde0b4a4c19a9a86b476b00135e.pdf?index=true
    • https://2ffa788b-df2f-461f-b9c5-573bec542745.filesusr.com/ugd/374ce0_1af2c2d46c364af98374bc0b6657e203.pdf?index=true
    • https://uploads.strikinglycdn.com/files/594c9bd2-3331-4f2a-967e-ea4e2e9f6816/what_is_the_main_theme_of_macbeth_act_1.pdf
    • https://436c154b-1c2d-4c60-9768-ed3a268ef5e1.filesusr.com/ugd/e8e253_fb6a33936e074969ad9d7068ccfabe5e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b73031de-3d1c-4483-abb9-05a1dfbbf105/jaxabolabiliwuwogitonuriz.pdf
    • https://uploads.strikinglycdn.com/files/d78e37a7-40d7-4cfb-b8dc-f4c7bac58ae0/sutapibevepa.pdf
    • https://uploads.strikinglycdn.com/files/3f9bf3ed-c9b3-402a-a5a9-a3b24b3101f9/nikon_coolpix_p520_reference_manual.pdf
    • https://uploads.strikinglycdn.com/files/53286e94-4a1c-44f1-9c7e-9d3e56dc502c/white_poinsettia_christmas_tree_decorations_uk.pdf
    • https://c245485c-e1a4-4c5a-9a2a-c465a95e53c8.filesusr.com/ugd/25f824_47f64ee9fd274f579b33f7245f974179.pdf?index=true
    • https://7fad2989-91b8-457c-89bc-9a0e7aeef19f.filesusr.com/ugd/b03ff3_60dc829651834920b965d2387f9e6c2d.pdf?index=true
    • https://7abbf572-6989-4614-8246-9d5ba34cd238.filesusr.com/ugd/af841b_08ac9398a8364c7bad9d9244d59a581a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f240.bin
96b377e6603751a09e028a431a622e9bef77050494634e03c2b2f6c5d46388cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF240 5412 bytes
font_01_sfnt_off00010495.bin
e002c22f3de8845a2e921e3d02eaff1269f6b524df575b47d528ff18957d2ece		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10495 11128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.