Malicious PDF — malware analysis report

Static analysis result for SHA-256 db89e768b8892a47…

MALICIOUS

PDF

69.5 KB Created: 2021-03-04 18:34:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 721359bd41ef25960b7654189afc4b09 SHA-1: 25537ecc1ac41bb9abb2fdd043d5cfe3c79a1923 SHA-256: db89e768b8892a47a4ef1e6aaf0fa12693e1197a443b4b6451aeb1de939cad9a
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9777

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=how+do+i+change+the+date+on+my+timex+indiglo+watch PDF link annotation
    • https://cdn.sqhk.co/bikuloxisage/ihmEVe7/70204225577.pdfIn PDF document text
    • http://xepidenad.scienceontheweb.net/white_rodgers_hot_water_heater_thermostat_manual.pdfIn PDF document text
    • http://gosoxegekiri.mywebcommunity.org/modo_de_produccin_de_la_comunidad_primitiva.pdfIn PDF document text
    • http://giwapozolaleg.mypressonline.com/quotas_for_navy_advancement_2021.pdfIn PDF document text
    • http://pogawubujogeje.mypressonline.com/81620922738.pdfIn PDF document text
    • http://creditinquiry.info/ib_visual_arts_comparative_study_example8tmoe.pdfIn PDF document text
    • http://levotavo.scienceontheweb.net/98235840288.pdfIn PDF document text
    • http://natur-green.fun/effective_business_communication_by_asha_kaulu5wip.pdfIn PDF document text
    • http://spoonnumberone.xyz/military_expedition_synonymssihph.pdfIn PDF document text
    • https://cdn.sqhk.co/nefikelifu/ajrUlJS/total_destruction_to_your_mind.pdfIn PDF document text
    • https://cdn.sqhk.co/fegojujor/jijtigF/hello_neighbor_hide_and_seek_download_pc.pdfIn PDF document text
    • http://lizowaw.scienceontheweb.net/shaded_cream_long_haired_miniature_dachshund_for_sale.pdfIn PDF document text
    • https://cdn.sqhk.co/moserusoba/1hhjiie/crowd_city_2_game_download.pdfIn PDF document text
    • https://cdn.sqhk.co/pumafuki/HgfgdU6/first_strike_valorant_tournament_liquipedia.pdfIn PDF document text
    • https://cdn.sqhk.co/govizanorev/bYGghhg/kirelejodogemipep.pdfIn PDF document text
    • http://cabinetshq.xyz/apunts_actic_mitjapswv8.pdfIn PDF document text
    • http://rezisekuvaz.mypressonline.com/41126940668.pdfIn PDF document text
    • http://mufutekuson.getenjoyment.net/zejaki.pdfIn PDF document text
    • https://cdn.sqhk.co/vusutesilo/agicBhi/95849942717.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d5d9b193-7180-48a8-9c5c-edb083c6cacf/andrew_jackson_cartoon_saq.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b7c32a6e-3678-4ee8-8ccf-daa37f7d3f06/asus_rt-ac68u_review_cnet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e57ee864-5127-4566-9708-432e1e007781/what_does_reward_and_punishment_do.pdfIn PDF document text
    • http://sogoxutagejuno.atwebpages.com/hp_probook_4530s_user_guide.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de71.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE71 5304 bytes
SHA-256: c4745c09fb5fcb6c7928573f49e8fccd1a32f3743f8dd539a34f6389285e00a2
font_01_sfnt_off0000f071.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF071 10008 bytes
SHA-256: 3e489e179b840572421330a4404acf6b61359382c6049b6543b522df7f4bf334