Malicious PDF — malware analysis report

Static analysis result for SHA-256 dcbe353a202b0586…

MALICIOUS

PDF

74.6 KB Created: 2021-03-14 18:28:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: 417083c03da7d2d572dd595d47b65c16 SHA-1: 55613ff7577a0c31c0ca5d50bfd5364f681ecbb0 SHA-256: dcbe353a202b05866ca54dbb67356283182a2bb2a5e1bec097afc0980b975b0b
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many hosted on disposable domains, suggesting it is part of a link farm designed to artificially boost search engine rankings. The primary URL points to a page that appears to be a lure for a PDF document, likely to drive traffic to these link farm sites. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or SEO spam.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=english+words+of+arabic+origin+pdf PDF link annotation
    • https://navemozozaju.weebly.com/uploads/1/3/1/1/131164567/jovafojuvedifogef.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4402706/normal_5ff3c3ed44bbb.pdfIn PDF document text
    • https://pilonalamajavex.weebly.com/uploads/1/3/1/1/131164122/687dd.pdfIn PDF document text
    • https://weralafopibobal.weebly.com/uploads/1/3/4/3/134338927/tuziba_dajumizirum_buzesaba_jobug.pdfIn PDF document text
    • http://zezasarasojid.mywebcommunity.org/38629109546.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421764/normal_60486f0f2c892.pdfIn PDF document text
    • https://kadeborejegan.weebly.com/uploads/1/3/2/7/132740978/3585072.pdfIn PDF document text
    • https://nagiwudulowep.weebly.com/uploads/1/3/0/7/130775657/766080.pdfIn PDF document text
    • https://tabogivazosepa.weebly.com/uploads/1/3/1/8/131871767/bapatakukotafogigo.pdfIn PDF document text
    • https://wuguxobexo.weebly.com/uploads/1/3/0/7/130739488/tipovatogituribek.pdfIn PDF document text
    • http://xuxikurov.mygamesonline.org/2015_jeep_grand_cherokee_service_4wd_system.pdfIn PDF document text
    • https://zafudibibini.weebly.com/uploads/1/3/4/1/134108698/be105d4f.pdfIn PDF document text
    • https://fejilexa.weebly.com/uploads/1/3/1/1/131163980/vonubotejo-rarorofugo-jajarak-vufasogi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cee4a208-09ac-40e0-983f-4c2cc776acbe.filesusr.com/ugd/5ed537_b5b17d76c52942b19f846a5870d07889.pdf?index=trueIn PDF document text
    • https://006b50d4-ad2a-4261-8279-34542eb0d7b0.filesusr.com/ugd/a640e9_bdf7ab7aa41e4f09982c590a5193f874.pdf?index=trueIn PDF document text
    • http://tobobuximalusu.epizy.com/nijiputodepereti.pdfIn PDF document text
    • http://nogogesusuwebob.epizy.com/82313661668.pdfIn PDF document text
    • http://dexixikix.epizy.com/96374490547.pdfIn PDF document text
    • http://rajivapaw.rf.gd/walt_disney_company_history.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE3C9 5608 bytes
SHA-256: 62016f56937a70897d1796386317f9dc509baf54b39b34c98e009bcf9b358345
font_01_sfnt_off0000f6e6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6E6 11372 bytes
SHA-256: aa12e58e9adc60a375c0ed55a4842315d89eb1fafa4c8d7d9f004dc55ae40bef

Open this report in the interactive analyzer, or submit your own file for analysis.