PDF malware analysis — malicious · e167aff80ddc3064

MALICIOUS

PDF

71.8 KB Created: 2021-02-07 09:20:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11

MD5: 95b389f58c0ce5613e2325fd9803d88f SHA-1: 1b3e20485580d015f0d8259ea3143c167c73371d SHA-256: e167aff80ddc3064d8baa317e72edd0fa3d76ea105c8cf35ef16a3dcb706ab6a

346 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded JavaScript payload and numerous external links, indicating a malicious intent to redirect users. The ClamAV detection and ML classifier strongly suggest this is a phishing or trojanized document. The embedded script likely facilitates the redirection to malicious sites.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 9

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://jacksth.ru/123?utm_term=plato+the+meno+sparknotes PDF link annotation
- https://nudesobaxoxis.weebly.com/uploads/1/3/4/6/134666739/gagime.pdfIn PDF document text
- https://vuwezamubom.weebly.com/uploads/1/3/0/8/130814902/pizewaletar_ligobunazefax_tugogebedo_jiwomegowa.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4372723/normal_5feb7c68b97ea.pdfIn macro / runtime command snippet
- https://cdn.sqhk.co/vizoxaxijojo/2LsnvlA/mekonu.pdfIn PDF document text
- https://cdn.sqhk.co/mijajijem/iigesJT/rejek.pdfIn PDF document text
- https://cdn.sqhk.co/bamikalagov/1hFXAhe/13610298708.pdfIn PDF document text
- https://cdn.sqhk.co/nupopobax/OSjfnVE/baby_dream_house_app.pdfIn PDF document text
- https://cdn.sqhk.co/norumuwapa/ighiige/31251858056.pdfIn PDF document text
- https://kuginipa.weebly.com/uploads/1/3/4/8/134853520/d3c4ed84.pdfIn PDF document text
- https://cdn.sqhk.co/sururezog/xzs8hbT/top_10_songs_70_s_music.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://bividit.rf.gd/create_list_from_template_sharepoint_2013_powershell.pdfIn PDF document text
- http://tefinavi.epizy.com/card_games_free_solitaire.pdfIn PDF document text
- http://fezipowivi.rf.gd/77113121405.pdfIn macro / runtime command snippet
- http://lugimes.epizy.com/division_with_remainders_4th_grade_worksheets.pdfIn PDF document text
- http://fugewep.rf.gd/bard_s_tale_4_offerings_guide.pdfIn PDF document text
- http://votitagupen.epizy.com/musubusozi.pdfIn PDF document text
- http://refowokewip.rf.gd/vegodemuf.pdfIn PDF document text
- http://xepododulujex.epizy.com/jizituwafaxixij.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://tefinavi.epizy.com/card_games_free_solIn macro / runtime command snippet
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_0000c79d.bin`	pdf-embedded-script	PDF decompressed stream script payload at offset 0xC79D	73474 bytes
SHA-256: `f775cb334deec71a91798b7c80972177fe918c8a1c8a4bc89d977157f4a69b2d`
Detection ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).
Preview script First 1,000 lines of the extracted script %PDF-1.4 1 0 obj << /Title (�� P l a t o t h e m e n o s p a r k n o t e s) /Creator (�� w k h t m l t o p d f 0 . 1 2 . 5) /Producer (�� Q t 4 . 8 . 7) /CreationDate (D:20210207092054+02'00') >> endobj 3 0 obj << /Type /ExtGState /SA true /SM 0.02 /ca 1.0 /CA 1.0 /AIS false /SMask /None>> endobj 4 0 obj [/Pattern /DeviceRGB] endobj 6 0 obj << /Type /XObject /Subtype /Image /Width 625 /Height 155 /BitsPerComponent 8 /ColorSpace /DeviceRGB /Length 7 0 R /Filter /DCTDecode >> stream �� JFIF K K �� C �� C �� q " �� } !1A Qa "q 2�� #B�� R��$3br� %&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz�� w !1 AQ aq "2� B�� #3R� br� $4�%� &'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz�� ? ��𧅭� i ��-%�l�LBY 8�1P S�� x�� {b?�ʸ9;ne県�� }��&K � H��I�<Dgh G# �� Rf2O]z Z� ^g1 �� ;�E�@x8�� ޹ �ޟ�J� \|? \i� �9 3�s�� D�#� �U��}y � R e�X�l �� 9�� <:��0ۺ�^H鏛� =>��<\�� .e ��׊�PIR�� 9�� 5"�%��$z�/�4� T^�� \|; ;&��<��9=p h�;ᘣ��C� �K� � ��?Ȯ�� ^�Jr� �AV?+ �O<z� �� #�_�~ �w g1 rw\��סn��?:D�E��_��A��穮�`h��w$�Ӝ�I" �#�`� ��S�I4��o� ߇e��J ;0��9��z � \3 Ӄ\|�[3�I��q] щ] B �'��)˲. 2�� ~ � '�ݮ�ב�?�� (r@�D�W�p7z�~ �iY��፸� ]&z� ��I<V�p��ܶ3�'�N :q��$P� �"�� =sۡ�; f�rk_�� G��cӗ��&�R =?�� 8� x} ��yi:��0� ˻�~�ֺf ��r8� ��R� �R�z�� <�4�'��!��I�U\|�~�)�O��=?>��߆�#�4�� H� �w�UҸq'� � ⤌s� ��fVu � ��I��ӿ �t�� /�� L��H� ��\ ��wî :a\��mģ g�޿�t��)��6�� V`�,�< ;��9s��å �9��by�� o�E?� � ` g�� s�t�k ^�8�9 w秧�軚-��@ �� O��a> xz8� 8 < �'=q�\|�&�~ xyy��;�p��V�� ?�=4��B ��qגy� "�s � H 7Q�?�)�;'n��@ � ��6�2z��y&�> �z% �� c��s� ��WOp nV ��ޣWI ?> � �ק��=�mEۯ�� J˳N # � 6�L{����N� ��z\|�� t��e ]��6G�:ӊ 28 ��s��Ri �� 9��T> %��m %g�g8��_Ju�� ġ�N 8�3�A�1�\� �H�5\d�@=I��0 :6� /U c��GA��e~ �r8I]1�F ��n<�Ѻ�N(O�� V ��7�p �C� 8-�Z�2 @I�y� g ?�_\|~4d��T>$<�� $� �? Ɲ��{v�� ? \|9q ņve �M��sӯ~ zz�!��魀� �K�w?{�� W�t�� g��4�%P�V �� /��esD䢛g1 � �� ?��2�0[� �b� \|:�� ¾�� їbJ�d`�y�� >��z�] Nd� �r � 9�z�׷Zv'��G4� \|:6H�{&ӒEĤ?�� ҟ/�� y` � �᫤h�qr 6�� >@`�'�1�ʕƕ�� ¢��!Z =�W �̽?��Ҙ~ �vAΚ�1��y0��}+�@A`vI�>^�v ��9T�Y��R N q�bw��G0~ xtJ �ZY �ȹ��8�>oO�O��?��~];��eg�8Ǧ� �Һ<<�� GN��B�˞Ib@ ��ϧ��K �j�� W9��9��ã��g��9� ߰�NO� IX��J��G�%��黎�ʺ5l:��v�i�$ ;_ �lu��{P8�4�s'��aa��Yp N�� 4\| ��0t� ��s.�?�۷OʺD�#VT�Ēx � ��;��ޕK�� l�� ӑE��u��s��k �N� O.�u�� S��)��c� �� s�� d 70� N~��S�v�l��6�1ۧ�#M�9U�C��=� А�� [��NI�>��? <3!��д�� @J� �g �] 2 ��ҬH ��zq�}�YI�d �<g ��̣+�n��7��m n��r �q�b�� ;Ο'�2G�%�� }+��tU�# ��r��}i#;b 4�� )� <g��"Zj6Җ��6� �6�� F�rRi0q� � s��Ҝ� �<�n:y.�# 3c��_߯ a] ��F`�9;� #9�I � >�Gu ��\P�Q�i�?�� S�O�^ 9d�V�q<�S��\v��Q'�� ĸ�� c��z� �# ��ˁ��Fs�㟯 ��d`�AY01� �㯯4� M��ls \|!�� 8��14� ��c ��8D�E��&��F � � ��q�~ u�t��#w�1��< ��<� ��b A�8��ѽ ��W��S�� b\|�s��c �1�� e �� JA �� ,\| � � �� \|�: YY�y9�8�� ҲE^R׭��sG��cP��FK <��{�� Q7� ��Ӱ �9�� q��O��qn� #<� ��P] ɒ8�dp A �Q�;}�� ˟�^ �Ә+g;&� 9�=3��~ �v ��ӊm��,:�p[ � � �t��^�w<��?�JI2� �� >�� ~��"�Z��]> x{ Ng�˟�K��+�7t� =:�jY~ �uP��Py]3q. �=�>��L��T�� {SK I$�� (��V��#P��*g��),y�~~{�#��> xvF��qpF��yr��y?ʺ� � # �9��{�#+�� ;��=��&N�O��c� <8� �� s��q�6/� @��+�K �Ը��\�4� w_l� �� 򁓌��z�hj� �{4�^?�� Pvi�G��% g �/��ޏ�S� �F��6q��zc �� ƺh݈m��9�{u ��֐8f;UX G� 1�{� �%c��p X0!��@8#� ��.i�� ñI�ӗp��9��U � �� 3��8� <�� : �7 x qC��ŵ'/��"�O��ZBlv�8�`O�� OT �^ ��t�]@'幔�8� ��?�U��z 0lt �> ��n �G�9 �zҲ4r��} a� �tE � o��M+��n�:��+k� ... (truncated)
`font_00_sfnt_off0000de82.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDE82	5124 bytes
SHA-256: `e6d05bd6b6e6570bdc7067cbd8ea9e48e21a23c87da48962ecd88f7bb2f249f1`
`font_01_sfnt_off0000efc0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEFC0	9960 bytes
SHA-256: `1f716d71d100bbecaae492c437e57aa7b182ae5d4dae448979b3664cdc8ee49d`

Open this report in the interactive analyzer, or submit your own file for analysis.