Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3d39f1879d4956f…

MALICIOUS

PDF

79.5 KB Created: 2021-09-20 04:46:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 777429b11624037b2f667e6b51aa66b8 SHA-1: f21078c855eec0659f8dcedf7c4be73574b05e0d SHA-256: e3d39f1879d4956f0fac7573b33ffd3edbd37a3961c97b1adfc50dfebc229fc1
106 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a PDF document that contains numerous embedded URLs, many of which point to other PDF files. Heuristics indicate a browser extension installation lure, suggesting the document's purpose is to trick the user into downloading and executing a malicious payload disguised as a necessary update or plugin. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs further supports malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 5

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=putlocker+video+downloader+chrome PDF link annotation
    • http://ecole-belair.com/ecole/file/jusotaw.pdfIn PDF document text
    • https://eghamatkade.com/basefile/eghamatkadecom/files/23197413193.pdfIn PDF document text
    • http://trackeg.com/en/wp-content/plugins/formcraft/file-upload/server/content/files/16134372cd8fc1---38195124639.pdfIn PDF document text
    • http://yao-cheng.com/uploadfiles/20210915234608.pdfIn PDF document text
    • http://mellorymotors.ru/admin/ckfinder/userfiles/files/70204458867.pdfIn PDF document text
    • https://austarpharma.com/upload/files/jaxulisekexutixumenazobax.pdfIn PDF document text
    • http://sprostredkovanieuverov.sk/res/file/49261078339.pdfIn PDF document text
    • http://anais.terminarz.online/kosmetyczka/krakow/files/95155165777.pdfIn PDF document text
    • http://c-six.it/userfiles/files/dabinatevagutogapi.pdfIn PDF document text
    • https://scavilecis.it/userfiles/file/xoxumulibumikukevoluj.pdfIn PDF document text
    • http://studiolaviano.it/userfiles/files/66487323908.pdfIn PDF document text
    • https://pasarangroup2.com/contents/files/muwupipuworexu.pdfIn PDF document text
    • http://ros-audit.com/i/up/file/11654869848.pdfIn PDF document text
    • https://jackinthegymtpe.com/uploads/files/202109051925537291.pdfIn PDF document text
    • http://jtylek.pl/Upload/file/11814633894.pdfIn PDF document text
    • https://metroguards.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16147783a00405---45117389341.pdfIn PDF document text
    • http://exteractif.fr/pictures/2/rupulefizonotogu.pdfIn PDF document text
    • https://bankubezpieczen.pl/userfiles/file/4714806755.pdfIn PDF document text
    • http://michalpavlicek.com/uploaded/file/63930171513.pdfIn PDF document text
    • http://muzycznescyzoryki.pl/userfiles/file/penapituvabe.pdfIn PDF document text
    • https://dacoma.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1614161dabdd3e---fevifajifaz.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d3e3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD3E3 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000ebfa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBFA 10812 bytes
SHA-256: 7111ff4e14e5446e864a164939703d8055e298a8919eadf2d21fe1fd68b612d5
font_02_sfnt_off000104c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x104C2 16948 bytes
SHA-256: 0cb44d2bb03a0eead376ccc58710bb4325e13ce5e7b7965311b13a7e15022d14

Open this report in the interactive analyzer, or submit your own file for analysis.