Malicious PDF — malware analysis report

Static analysis result for SHA-256 e86b055f60a7d88c…

MALICIOUS

PDF

81.1 KB Created: 2021-03-11 05:28:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: b0a14915241904876d8eec1d7a29f256 SHA-1: 825f1f03a25a5b02d006a7e69f1e67b886844c26 SHA-256: e86b055f60a7d88c544b02a7f7a0dd984216bc524905e7a767ba04246c6dbad6
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to external PDFs hosted on various domains. One of these links, 'https://yafferge.ru/award?keyword=carding+machine+gauge+setting+pdf', is identified as a malicious redirector. The ML classifier and ClamAV also flagged this PDF as malicious, suggesting a phishing or trojan distribution intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=carding+machine+gauge+setting+pdf In PDF document text
    • https://cdn.sqhk.co/wupifufexix/Bjhjagd/30889180821.pdfIn PDF document text
    • https://cdn.sqhk.co/bagudivibi/NiejgG2/london_to_brighton_veteran_car_run_2019_photos.pdfIn PDF document text
    • https://vajinivokesele.weebly.com/uploads/1/3/5/3/135326698/pones.pdfIn PDF document text
    • https://cdn.sqhk.co/pubodegosog/khgjiLG/witilaxen.pdfIn PDF document text
    • https://dopilefuma.weebly.com/uploads/1/3/4/7/134733068/59e54b00aa223.pdfIn PDF document text
    • https://tadinitalu.weebly.com/uploads/1/3/4/7/134744808/fowujodusipogid_tabenaruneka_moreg_xodedin.pdfIn PDF document text
    • http://sebevifa.getenjoyment.net/83254003578.pdfIn PDF document text
    • http://bomisedoxu.mywebcommunity.org/julian_calendar_2019_conversion.pdfIn PDF document text
    • https://xakebugus.weebly.com/uploads/1/3/4/0/134018628/libovatag-deradusopujo-paweku-vesozozewu.pdfIn PDF document text
    • https://nuvosukive.weebly.com/uploads/1/3/4/7/134718285/bisalikademegod.pdfIn PDF document text
    • http://fobativ.mywebcommunity.org/scotts_turf_builder_edgeguard_mini_broadcast_spreader_settings_for_lime.pdfIn PDF document text
    • http://nejupike.mygamesonline.org/53519118363.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/wolina/android_version_history_2019.pdfIn PDF document text
    • https://s3.amazonaws.com/wonumafubij/how_do_you_bypass_the_lid_lock_switch_on_a_whirlpool_washer.pdfIn PDF document text
    • https://dc58184e-bbba-402a-8e08-a55d552c8f3f.filesusr.com/ugd/0ebc1f_2e4c2bc482c248cf93a0699ee1f5088a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/6b30b051-6a2a-4baf-b898-cd1a39cd275f/lucky_jim_as_a_campus_novel.pdfIn PDF document text
    • https://2ea9429b-0332-4ee6-bb75-ab9535b56c99.filesusr.com/ugd/e2f7e1_2a2c2824b65b4330a410f8a1c707ae5e.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/mefonevimimix/adoptive_rite_ritual.pdfIn PDF document text
    • https://31c8a3d4-0132-49f1-a04f-09c79d03e01f.filesusr.com/ugd/a4da84_c8b7f03518a5431eb44262a90f71b143.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/46ddaf34-3a3b-47c1-b975-5735142ba870/how_to_use_lg_heat_pump_dryer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0076b555-92d2-4c9c-85cd-912f99a7e184/excel_2013_for_dummies.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e9c8f126-7b11-4056-ad80-be29c45c5ffe/86022125386.pdfIn PDF document text
    • http://gixejemazob.myartsonline.com/los_verbos_ms_usados_en_ingls_en_todos_sus_tiempos.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/40d929b5-a98e-4d33-abfb-3ee5001a2994/98725588144.pdfIn PDF document text
    • https://59bb578d-b312-442a-858b-1a1a54b18a6c.filesusr.com/ugd/c79b1c_8b68f2ef75944cd29be806ac726325a4.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/timituvupame/96608791016.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f045.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF045 5332 bytes
SHA-256: f875948a2c46adde2c718e6d80ebd525c869e394e8c5213d441192cbfd34322f
font_01_sfnt_off0001023b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1023B 11388 bytes
SHA-256: adb9401ac4b860bfebf29d12f03a84bb527228d383b539b04755cbe4914f0316
font_02_sfnt_off00012862.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12862 4324 bytes
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2