Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebf58702f999013e…

MALICIOUS

PDF

109.3 KB Created: 2021-03-15 20:30:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: b0600ffa34336f9b791d6bbd9c30a437 SHA-1: 2784d2f15c8c1c62172fa8596fa1235485bc7ab1 SHA-256: ebf58702f999013ed976e2d8dc5cb51a93a312b2a54c9e625cfc9875829d27ef
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ML classifiers and ClamAV, flagging it as a phishing trojan. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to malicious sites. The document body, though heavily obfuscated, appears to be a lure for 'Bharatha rajyangam in telugu pdf free download', indicating a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=bharatha+rajyangam+in+telugu+pdf+free+download PDF link annotation
    • http://didazema.mypressonline.com/la_divina_comedia_resumen_el_infierno.pdfIn PDF document text
    • http://dutarotanazosuv.medianewsonline.com/26134735975.pdfIn PDF document text
    • http://creditreportus.info/80521234032yidw.pdfIn PDF document text
    • http://epipog.com/89557674349rvate.pdfIn PDF document text
    • http://disclosures.space/ovulation_chartry1rp.pdfIn PDF document text
    • http://zathkatow.xyz/pobikubatamisisimobqrzci.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://e1ca4115-fb55-43f9-84f1-eaf814f8c83f.filesusr.com/ugd/18122d_1afc6eaf5c7d4fd98cb57320803568db.pdf?index=trueIn PDF document text
    • https://45f0f727-c607-4398-b3b7-8b42e23b21b2.filesusr.com/ugd/0a84ca_8201c73b1225426bbef7c5bdca90de60.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/bfcb8acf-fabc-4792-a1fa-eb3aca10f8af/rizeko.pdfIn PDF document text
    • https://9d3edb37-11ce-4d87-b861-4f8d850d55a0.filesusr.com/ugd/0d2aa0_4e3faec2107e4f97a95ac7b87bbcf416.pdf?index=trueIn PDF document text
    • http://vidugozu.atwebpages.com/hillsborough_county_first_day_of_school_2020.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3c5a3699-9032-4e57-8070-8c46ae69f6dc/can_you_use_headphones_with_roku_tv.pdfIn PDF document text
    • https://1a2149e7-ca7f-4e7c-a584-0e483de6f3af.filesusr.com/ugd/9219f8_be32b1d423d7450db5fba2fc6891b0bb.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/31c2c681-64f3-4b76-9bf0-381fc7a2a444/how_to_reset_a_kenmore_dishwasher.pdfIn PDF document text
    • https://af431a04-9ebc-4ea4-a98d-45e4ffbfad14.filesusr.com/ugd/485053_a4096f4de6d94cdb843e989b4c790e81.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/9dfbb907-99f7-4bdd-9215-79b0c28858d8/72713173729.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a5d5bc16-4bc8-44d1-9dbf-fa71ae882a3b/51079243202.pdfIn PDF document text
    • https://8ac5c8e1-9174-427d-95c2-90bebb9f105a.filesusr.com/ugd/44b221_7dd1b02d108b499d94c1b75a9214161b.pdf?index=trueIn PDF document text
    • http://vilepobafomunow.atwebpages.com/56240618024.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/28bc0ced-a64b-4095-8d0b-a37c2d718c96/25175455966.pdfIn PDF document text
    • https://2080fafa-2491-4ac3-8118-a138f33bff34.filesusr.com/ugd/822ecd_d510df15e9124c0eade7423ff8ad3672.pdf?index=trueIn PDF document text
    • https://61069a5e-3c5f-4884-a3c7-8c7552058b74.filesusr.com/ugd/0789d5_35cf31ae8e624b1ab52158d40b58cb12.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/e0d0afcb-5a28-4104-b2c7-4927cb0c1c7f/72425597109.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8cce678e-a121-442b-8a26-6c1280f2d70a/66493612867.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010a76.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10A76 5596 bytes
SHA-256: 9c2763d29b0940d25dc742c7e0b9a562dfeb9a000e0db10025f967344bdd39a7
font_01_sfnt_off00011d72.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11D72 39924 bytes
SHA-256: 319eaa27128540a0a4c4758de95a71fb2f278bbe5d2c6eac4a7ca01f2d455851
font_02_sfnt_off00016bde.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16BDE 10768 bytes
SHA-256: f249027222ea92ce0dc489efc6c0d9d21f23b89f1b075682771d20371aa13251
font_03_sfnt_off0001910f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1910F 16184 bytes
SHA-256: 123975e40135809d541a909889c89f4c2c1f20fdb68e7364e169f08795e4f36c