Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbac528bce951222…

MALICIOUS

PDF

130.9 KB Created: 2021-03-15 05:44:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: 7f666217ba9433e1cb64402a442a9330 SHA-1: c7f36859f82c48301a2dba42d08b086435186d34 SHA-256: dbac528bce951222c065b51511f18ce442883c47a6b911a37f59dbe8d7c4b0c7
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links, with one prominently pointing to a suspicious domain (`crophysi.ru`) that is flagged as a malicious redirector. The document body, though heavily obfuscated, suggests a lure related to 'IELTS general speaking test samples'. The presence of numerous links and the ML classifier's high confidence score indicate a malicious intent, likely to redirect users to phishing or malware hosting sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=ielts+general+speaking+test+samples+with+answers+pdf In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/c5d2211e-faae-4eab-97a7-ea4ec8a77bcc/asus_n66u_firmware_restoration.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/55126fe5-5832-448d-9eda-559f38a639cf/bosojix.pdfIn PDF document text
    • https://9f53eded-325d-4e02-8430-7c09bd872488.filesusr.com/ugd/e04405_308f0531c1bc4f83ab3ab8d5291efd6d.pdf?index=trueIn PDF document text
    • https://9005a25f-7293-4a73-bb0f-bc58e8c16807.filesusr.com/ugd/e3834b_18b7ccb1aed1415b803273c338bb3e4b.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/589e9b94-e7da-424a-b23c-9d5e53935c6d/44976276725.pdfIn PDF document text
    • https://f8d4b294-f952-4a11-85e8-0a3036f9bdaf.filesusr.com/ugd/ad8f3a_3b03ba34e524456b875b486c7e421107.pdf?index=trueIn PDF document text
    • https://e9593579-f51f-4dc6-af55-2543ab512b45.filesusr.com/ugd/37952c_101b7ae3d76e40ff8c7e10c6d0beed39.pdf?index=trueIn PDF document text
    • https://7fd92c66-d3af-485c-b7a9-31529ddfb1b5.filesusr.com/ugd/997d0f_cab3cc092a1348dc94244eb3f5c927d7.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/8f16c921-b814-4134-87e2-c8c5440e1883/64287813381.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc50bdd9-d833-4369-b3fa-3329ac211be1/rerowu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/68792fc8-617c-44e5-9e56-1337aadff8fa/webozemiras.pdfIn PDF document text
    • https://18cb0a1d-3822-48a5-9ca0-56465202bc9b.filesusr.com/ugd/96564c_779712ff7d8e4811ab775bb0f5118c64.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/a668b3c6-72f5-49e3-a6ae-33f06334dbd0/unitypoint_clinic_family_medicine_east_des_moines.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/788ae111-99ee-455e-b11f-25e1dc2a0c31/dog_man_grime_and_punishment_book_summary.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2c5bd281-74b4-4083-9fa6-0073ccde6a06/oxford_picture_dictionary_english_spanish.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0a8a9a29-f879-4e2c-841f-173245ce0546/41873242987.pdfIn PDF document text
    • https://1801fa0f-56e4-4894-8452-b8e06651d4be.filesusr.com/ugd/868401_2bf1cc0da1dc40deab9e191ea3b16dff.pdf?index=trueIn PDF document text
    • https://80c93ba6-74df-4afb-9852-3a83eaba20e3.filesusr.com/ugd/4cf28d_b284b04a2f8c462e8b3d9050a271c681.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5ae8bf69-c94c-4690-827d-b1727e2531ee/4603457548.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f99cbe5c-00b7-42b9-873d-afbf3d870667/nutuvokabuzozorow.pdfIn PDF document text
    • https://6d706a39-1f93-4f1a-9423-caccf7e65e71.filesusr.com/ugd/69f91f_170c616a854f48c3845dc5bbf6d08ddc.pdf?index=trueIn PDF document text
    • https://9a4b5e96-23fe-4021-9525-787506808755.filesusr.com/ugd/b3318b_e869b8cc63834c9ebd8270c396976b5f.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/de33058e-0f96-4794-b9a7-3d8c5cd8b7a3/what_is_the_hardest_boss_in_dark_souls_3.pdfIn PDF document text
    • https://55d63786-14d6-44de-84d0-33f1fb383c44.filesusr.com/ugd/45fd81_da99b5f6634d495696f65937d74aa929.pdf?index=trueIn PDF document text
    • https://538d8494-0c7d-401a-b890-0485f6bc7bca.filesusr.com/ugd/29c71c_720de8e49ce44524b09a11dbb1da57f6.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001c49c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C49C 5548 bytes
SHA-256: 991d34b098588f6ee1b1eab7599efcb4e72b702feb5d45e891c5c28ec63a772b
font_01_sfnt_off0001d766.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D766 11000 bytes
SHA-256: b10476ede51b1503daa5feaff744e80f3a56cb44a0479faf950d4ae5091bafd9