Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc381c7cb4f9dcf1…

MALICIOUS

PDF

74.5 KB Created: 2021-04-05 01:35:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: de366a57b6e5fdce65945310c0c2465c SHA-1: 79a61c645ffb7c6d888b5225db81c1750754657d SHA-256: dc381c7cb4f9dcf1dd3dafdef8dc43557e08979086ab6c309b896c421900fcc9
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by ClamAV and an ML classifier, indicating a high probability of malicious intent. It contains a large number of external links, many of which point to disposable hosting or redirectors, suggesting a link farm designed to distribute malware or phish users. The presence of a URL with a 'pentair pool pump motor' UTM term indicates a potential lure for specific user interests.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=pentair+pool+pump+motor+1%252F2+hp PDF link annotation
    • http://nukicew.xyz/583704979231vnzj.pdfIn PDF document text
    • http://idem-peshkom.ru/skyrim_prima_guide_downloadygqms.pdfIn PDF document text
    • http://reabook.online/tamuk_dining_plantjmvg.pdfIn PDF document text
    • http://pakavoposot.22web.org/palmetto_credit_balance_report_phone_number.pdfIn PDF document text
    • http://topcabinets.xyz/rabemisidonukixuzi0aqel.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://xadogugatu.epizy.com/inorganic_chemistry_notes_for_bsc_1st_year.pdfIn PDF document text
    • https://1ffb5d6c-d890-49e0-9b87-dc10fbfa49e2.filesusr.com/ugd/8bc2a6_225ff95a526c4886a20d8935587211ea.pdf?index=trueIn PDF document text
    • https://22520ec4-2132-45a5-98b8-54db1b71d3ea.filesusr.com/ugd/b33b96_8b1862fd16e44bd7b86e4d308346ece9.pdf?index=trueIn PDF document text
    • https://5121d360-3808-4f61-aa44-d87cf2d9d428.filesusr.com/ugd/032e8a_f1655ddef3ee4d4587170e77c22f0469.pdf?index=trueIn PDF document text
    • http://titotoxofeneraw.epizy.com/mechanical_engineering_mini_projects_reports.pdfIn PDF document text
    • https://2c5a832e-93c4-4ab0-bef0-969ef348d747.filesusr.com/ugd/cc5daa_0c31a7a3d6b042289ad81d74ca88e6d4.pdf?index=trueIn PDF document text
    • https://7095e710-59ac-4d27-8a5a-f3bbcaf65deb.filesusr.com/ugd/418e76_a85089cad63d4e49810aff616f5b6bf1.pdf?index=trueIn PDF document text
    • http://bajipenu.epizy.com/1416173813.pdfIn PDF document text
    • https://76bf09fe-c378-4d6f-baa9-beaf48595a8b.filesusr.com/ugd/61567a_8a1b440d6811471c8bb21ff73d5c98ce.pdf?index=trueIn PDF document text
    • https://cf268418-7549-4780-9cff-e39e61b5276c.filesusr.com/ugd/0b1cf2_831cde7926e94f24933567b90421cf9f.pdf?index=trueIn PDF document text
    • https://c7972686-9310-4d97-8ac3-15e828887225.filesusr.com/ugd/8a419d_45452037d3934042a4f85811f9a2ddb1.pdf?index=trueIn PDF document text
    • https://98748e4b-3258-471a-903e-8ea98415cca0.filesusr.com/ugd/fd7405_6724c5e12d5b4108ae70c3f35bb5785b.pdf?index=trueIn PDF document text
    • http://ruxuwidoke.epizy.com/abcd_mahi_teri_chunariya_song.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e47a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE47A 5100 bytes
SHA-256: b2ae2de5aa130034ce73fb5157714dfb2078a5d87131c5e8e4ad334cb80a3a29
font_01_sfnt_off0000f5b2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF5B2 11220 bytes
SHA-256: dcbacafeed381eb6624fc75fc39e0adbe03d3d2fb49899651a9cad366443f6bc