Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee17660e4c695102…

MALICIOUS

PDF

77.7 KB Created: 2021-05-17 15:51:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 99f3af31fe7a1b19eb95660d42d36436 SHA-1: d30723afad2a26c3a80564cbbde0ffa8d6f836f1 SHA-256: ee17660e4c69510220759f048460129f8c0fe3a533a644fbeca1a3d9242cb9e9
226 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution T1071.001 Web Protocols

This PDF document contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or phishing campaign. The presence of a 'Clipboard command execution lure' heuristic indicates the document likely instructs the user to copy and paste content into a command-line interface, a common tactic for executing malicious commands. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=amazon+fire+hd+7+4th+generation+root PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4445879/normal_6051fbc188160.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4464720/normal_600773e9209f3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4468268/normal_6047366e63dac.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374860/normal_6017260c99beb.pdfIn PDF document text
    • https://simebusuf.weebly.com/uploads/1/3/1/4/131406507/mirupewigej_dubufeso.pdfIn PDF document text
    • https://gemikomumupoj.weebly.com/uploads/1/3/4/3/134393585/pakenesu-lejuridox.pdfIn PDF document text
    • https://mojipolizu.weebly.com/uploads/1/3/4/3/134318612/zovigaz-zonelo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448746/normal_605868a3077a9.pdfIn PDF document text
    • https://xaduvabelo.weebly.com/uploads/1/3/5/3/135324105/kubuterukufe-pamofimabidizeg.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369158/normal_6014f959f20b0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4466675/normal_6012db1f0ee03.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4498404/normal_6021c1c9dbb45.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4393772/normal_6008e85ed9497.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://ff8eac81-0dee-4da4-b7c1-1dee070544a7.filesusr.com/ugd/2637cf_5bd0259a079a4d70918572722be2df66.pdf?index=trueIn PDF document text
    • https://e8677ced-6330-435e-8237-200fb10408a4.filesusr.com/ugd/a4c1fa_0271eb2ee9134451bd16812545e31fce.pdf?index=trueIn PDF document text
    • https://9e2b3e3a-6a02-4d3b-8ba9-5acc01041672.filesusr.com/ugd/66c878_34cdd768c0704456930c0b3e8dfd3708.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/e8fbb139-664b-46b8-a4dc-949a68ffaf2e/nedizudaxejuz.pdfIn PDF document text
    • https://101c3d73-5e22-4da1-a203-a3a2a794ce88.filesusr.com/ugd/69a512_3aede908d10f4be9909ef96c1d95ca8e.pdf?index=trueIn PDF document text
    • https://34570882-574e-4d25-8c0e-d8b9b6c2967f.filesusr.com/ugd/cb2bed_bb8455c20bec4b77b93df7954fdb24be.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/70a0882f-420a-48af-9cfc-76099afd30e3/39265966683.pdfIn PDF document text
    • https://633ee4a5-ef7f-4c35-8c02-ac6c60bc6361.filesusr.com/ugd/0ab374_4cb0df347a9e4d60b123ebc226186fa3.pdf?index=trueIn PDF document text
    • https://69b3109a-7cce-4514-9193-d2106d9976ab.filesusr.com/ugd/3c2969_cdc3d53de7e047d68e16bf6e047d1aca.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/c6f8d9d4-bb6c-416d-b521-e1e16ad5241a/what_does_maint_reqd_light_mean.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c46f95d2-6eb1-4e80-b2d0-11415a8aacc0/how_do_i_fix_error_code_f21_on_kenmore.pdfIn PDF document text
    • https://2bb9e989-9ce9-409f-aa8a-839f2ea8d3bf.filesusr.com/ugd/9f8cc2_fe08ca18fb584c449e53307af42738b0.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF2A7 5320 bytes
SHA-256: a2f60746d3af3247d821dfbc5acf9bc304778ab952362294f747dda8025ec698
font_01_sfnt_off000104a9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x104A9 10688 bytes
SHA-256: d7010e9ee25a824de3ae0817745de80d820c9adb8504f1f2e5b923bc1f603ef9