Malicious PDF — malware analysis report

Static analysis result for SHA-256 da1a2c640f816320…

MALICIOUS

PDF

77.9 KB Created: 2021-05-28 18:41:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: 3c4f7b1de0c85b02c4526bacf41fd56b SHA-1: c533efefc67d5897387d4d80315e1bd75002762b SHA-256: da1a2c640f8163204d0276e6ce9179e7c7cfbe15d1d29af421181d0b2c8d2e5c
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a significant number of external links, many hosted on disposable domains, suggesting a link farm or phishing attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of embedded URLs and a 'download button' lure further support the conclusion that the document is designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=e+sound+phonics+worksheets PDF link annotation
    • https://damafurota.weebly.com/uploads/1/3/5/3/135337485/1503809.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4477635/normal_60320456a7e07.pdfIn PDF document text
    • https://nelubetif.weebly.com/uploads/1/3/5/3/135322580/9400751.pdfIn PDF document text
    • https://gaxopekel.weebly.com/uploads/1/3/0/9/130969853/sulese.pdfIn PDF document text
    • https://pigakuri.weebly.com/uploads/1/3/4/6/134684466/fixirerogipak.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4422640/normal_5fd7e49cb7b28.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4378599/normal_5fce5e68ef9bb.pdfIn PDF document text
    • https://dubitofux.weebly.com/uploads/1/3/4/4/134458445/119bdb10f26.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4495691/normal_5fd337abf3ed3.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b68e000c-d1fc-4a92-b696-16b7148160ca/2021_toyota_rav4_le_owners_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3ba03fc0-8eb6-444a-9ca4-1db5e08359c2/creative_sound_blaster_z-series_software.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bcf7e7e0-0ec8-48ac-9fac-870a74a0a460/john_deere_mower_blades.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cba27bf6-ebb6-4c42-aa62-e60c591950f2/58292954274.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/718d2753-40ee-4289-95e5-e747f7e351a1/68288914323.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f338ecc2-4c3e-46b9-aee4-429f1930d9c8/hypertonic_hypotonic_and_isotonic_solutions_worksheet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ee3543ae-89bd-4b93-bda3-11131cd75430/how_to_set_automatic_watch_winder.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/46d4de3b-71f8-44b4-b80a-b4e963eba156/tebevutezojof.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4c270358-c27c-4971-b247-7dae44f98aff/bitosikirur.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/84498ace-719c-4448-80d8-46ef9baf9e29/84479378897.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b58b1c7c-7b57-457a-ab32-261736092179/yard_machine_lawn_mower_20_inch_wont_start.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a646a903-0c24-4096-af73-7cbab351eb7a/90919746908.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f43f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF43F 5032 bytes
SHA-256: c39987341d0ddaf5cf6f942d3d476d1ff527029446ad1107f0bd5d82cbac8bf5
font_01_sfnt_off0001056f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1056F 10860 bytes
SHA-256: 4c70f4a6e06be872ec7dca061a6823484c13a5a663b9cb9e0dd3f0a1363866d8