Malicious PDF — malware analysis report

Static analysis result for SHA-256 e73b5f9c05add391…

MALICIOUS

PDF

82.6 KB Created: 2021-03-22 23:06:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: e9b8a36b8aabf4557183a710c2c3d789 SHA-1: b1ec58326af533da7653885f9977f7b5fccf392f SHA-256: e73b5f9c05add39142527d8a96f8343c3dd92390a1f643dacac9a15822c9cce0
266 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.007 JavaScript

This PDF document is identified as malicious by multiple heuristics and a machine learning classifier. It functions as a lure, directing users to install browser extensions or updates, a common tactic for credential theft or malware installation. The document also contains a link farm with numerous external URLs, some of which are hosted on disposable domains, suggesting an attempt to distribute malicious content or engage in SEO manipulation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/wix?keyword=wwhotmail.com+inciar+sesion PDF link annotation
    • https://zujituxo.weebly.com/uploads/1/3/2/6/132681889/mafegura.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4496586/normal_5ffb05a320824.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4498376/normal_5fe607d922031.pdfIn PDF document text
    • https://wejowijugoli.weebly.com/uploads/1/3/1/3/131383775/2ff2a.pdfIn PDF document text
    • https://miruvogix.weebly.com/uploads/1/3/1/4/131408245/1443275.pdfIn PDF document text
    • https://zulitaxovali.weebly.com/uploads/1/3/5/3/135351491/dojizarot-nujufibul-baxotepovu-puxufakovutod.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376857/normal_5fe9403f717cb.pdfIn PDF document text
    • https://xoxebugifujame.weebly.com/uploads/1/3/4/4/134478015/jazexuzotenaman.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/39c3f9ad-25db-4a95-85fe-e9309579d08a/53147436304.pdfIn PDF document text
    • https://83f018a0-8e49-44f0-b57e-805e464a5f06.filesusr.com/ugd/10a4aa_b1f176bc3c0c4f92b08afbae4b2dd0d9.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/739627ca-c778-49fa-a899-6d7bb3833f82/xilip.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9c49cff2-b3ab-4175-854b-1ea4919c981f/how_to_fix_diaper_genie_elite.pdfIn PDF document text
    • https://6440a9f6-5e82-4153-977b-4ffe9374ec4a.filesusr.com/ugd/7182f3_59434984aa754f33b9711eb04a467e08.pdf?index=trueIn PDF document text
    • https://34570882-574e-4d25-8c0e-d8b9b6c2967f.filesusr.com/ugd/cb2bed_d4fa977dada44f019f2d3413ae9678e4.pdf?index=trueIn PDF document text
    • http://juvegebufu.epizy.com/annelids_mod_apk_unlocked.pdfIn PDF document text
    • https://dbb1fad9-9c05-458f-9e32-bc0b7f65d7ec.filesusr.com/ugd/451461_785065b5bc0e40baa45109a0f071ce06.pdf?index=trueIn PDF document text
    • http://rajixubododafu.epizy.com/cabinet_manual_rwanda.pdfIn PDF document text
    • https://1c019786-7048-4615-837a-ae53f087c4ae.filesusr.com/ugd/8b4172_22ae3951bfc54fc7be61b9d4bc9da899.pdf?index=trueIn PDF document text
    • https://69669160-cc20-42a3-bfef-e1e1fd1f8163.filesusr.com/ugd/8094a4_785adcd57523415a8a8aa9730812d8e4.pdf?index=trueIn PDF document text
    • https://d85b1738-a471-4043-b59e-116b2bb794a3.filesusr.com/ugd/97927e_6f82c8c57c3443259e16c22c8b2f791f.pdf?index=trueIn PDF document text
    • https://1d942ef5-affb-47d8-8f99-70a3d187b733.filesusr.com/ugd/3283b0_f39bb549835340afa2cc98b086589614.pdf?index=trueIn PDF document text
    • https://4b523d79-2bc6-404f-8e52-0acae4d2cb03.filesusr.com/ugd/fe1b41_242db41b70df4c41837526e88c049b76.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/ca0f254b-7f27-49e3-9af1-fa1ed3500403/66187799400.pdfIn PDF document text
    • https://1628ddcf-e301-416d-9649-d9339b85441b.filesusr.com/ugd/0b1079_61ac9800aa9c40c3b0adfd254e7b90a0.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f946.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF946 5176 bytes
SHA-256: de0393a68e3c64cbdaf178c361757d0a8d67a71522b22a6d5b39cbec054dbfe0
font_01_sfnt_off00010abf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10ABF 1804 bytes
SHA-256: 559e339ebb012a4711299e9f436f2accabb026881398d3942dea161b76ad44a3
font_02_sfnt_off0001139d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1139D 11912 bytes
SHA-256: 547f76a073fd474d709fceb6587f4becc3b8e470a182a0e37b9ce90a36e8381c