Malicious PDF — malware analysis report

Static analysis result for SHA-256 e79b562bd1ccf520…

MALICIOUS

PDF

80.9 KB Created: 2021-06-10 23:03:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-13
MD5: 7bf5922f9c24c892f2b8cd1bce78bde4 SHA-1: c645dea08a9442107cb688a984ec86330a9e778a SHA-256: e79b562bd1ccf5203da20e649a7810fae54532f461a439628f3c80f0116e7170
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous embedded URLs, with a primary external URI pointing to 'https://synerhu.ru/pbw?utm_term=your+name+eng+sub+full'. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates the PDF is designed as a link farm on disposable hosting, further supporting a malicious intent. No scripts were extracted, but the presence of external URIs suggests an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/pbw?utm_term=your+name+eng+sub+full PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4425235/normal_6051a9b5ec901.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414164/normal_5fd3c0ac10a04.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4495849/normal_5fced152bdcad.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4457305/normal_603e187d75182.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4452373/normal_603f60a658e5a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4401716/normal_603fa8a4b81c8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413573/normal_603d97b545ae9.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://pajuxuse.pbworks.com/f/schaums_outline_of_electromagnetics_5th_edition.pdfIn PDF document text
    • http://dawanitapix.pbworks.com/w/file/fetch/144952530/13314276495.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/32f7a85a-ab39-46ca-8fc9-75a6670b3d86/how_much_is_adobe_premiere_monthly.pdfIn PDF document text
    • http://gaguwufajij.pbworks.com/w/file/fetch/144874782/comrade_in_america_movie_download_with_english_subtitles__500____Low__0.pdfIn PDF document text
    • http://gazumadu.pbworks.com/w/file/fetch/144653913/what_are_the_theories_of_aging_that_argue_that_the_bodys_constant.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/28fd9dd5-2511-43a9-97bf-fe8056c0fffb/38946309137.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/88a1f31b-07e2-4024-9b81-5e96474d32d7/what_are_the_types_of_preference_shares.pdfIn PDF document text
    • http://muzurinugaw.pbworks.com/f/la_crosse_technology_radio_controlled_clock_manual_wwvb.pdfIn PDF document text
    • http://sujabuno.pbworks.com/w/file/fetch/144732789/fatiba.pdfIn PDF document text
    • http://bawamotijeku.pbworks.com/w/file/fetch/144478374/why_did_peter_say_to_jesus_lord_go_away_from_me.pdfIn PDF document text
    • http://sijomirurefi.pbworks.com/w/file/fetch/145018374/fajoderezozo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cc086f5b-3b1c-41ce-ba29-8805b3fa1ed4/how_to_improve_your_competencies.pdfIn PDF document text
    • http://gupipax.pbworks.com/w/file/fetch/144897699/gapefitiniril.pdfIn PDF document text
    • http://supatibu.pbworks.com/w/file/fetch/144418731/11139816708.pdfIn PDF document text
    • http://rasetewi.pbworks.com/f/how_to_communicate_effectively_with_your_wife.pdfIn PDF document text
    • http://lomubel.pbworks.com/f/walking_in_a_winter_wonderland_piano_sheet_music.pdfIn PDF document text
    • http://mawasuwov.pbworks.com/f/kg_to_pounds_and_ounces_conversion_chart.pdfIn PDF document text
    • http://zudilazo.pbworks.com/w/file/fetch/144523452/movitijexojadebodegowatub.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d61c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD61C 3936 bytes
SHA-256: 2db82d620362954f416c1972358186021da4fab46e96ddc728a3cc749ba47d9a
font_01_sfnt_off0000e42e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE42E 5188 bytes
SHA-256: 3002c4e822b6202dbcf40d7aaf480aaa78a1677e67e6cd7d0faf5042a1f16ed7
font_02_sfnt_off0000f5be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF5BE 10748 bytes
SHA-256: c4d9fdfcdf27bcaa6d2c751161dfd8d25a1f9b0c61bc05b22f55df2e1d9b60e8
font_03_sfnt_off00011ad6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11AD6 17260 bytes
SHA-256: c4aec8fc128d9a375fb14928741ee5afa93c85ed9d776a32248188fa885a7d02