Malicious PDF — malware analysis report

Static analysis result for SHA-256 f12ce26605828565…

MALICIOUS

PDF

88.9 KB Created: 2021-05-06 12:43:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: d6bcc7d2e9a773dfe5b56880dffe41e3 SHA-1: 971b13ee1afedb14f9da7232c807425f516873bd SHA-256: f12ce2660582856544d9d91cbd22069022740f00254de981bfe45b96cdbc38c7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=black+ted+dekker PDF link annotation
    • http://maporivibadiwaj.iblogger.org/circular_loop_antenna.pdfIn PDF document text
    • https://cdn.sqhk.co/fojizejoxu/idgiviC/dig_deep_volleyball_tryouts.pdfIn PDF document text
    • https://xezatitewifesel.weebly.com/uploads/1/3/4/3/134393938/kepod.pdfIn PDF document text
    • https://cdn.sqhk.co/vivokunavu/3Xjfngc/banana_pepper_appetizers.pdfIn PDF document text
    • https://pegugigatusib.weebly.com/uploads/1/3/4/4/134460290/fc3f65d1.pdfIn PDF document text
    • https://nonejekorozu.weebly.com/uploads/1/3/4/1/134108542/c4386eb789cfa.pdfIn PDF document text
    • https://nuvawusop.weebly.com/uploads/1/3/5/3/135302159/mifonozuxuvel_sizafak_vixavejubo.pdfIn PDF document text
    • https://cdn.sqhk.co/bivuwusim/gf1Z3id/69946056439.pdfIn PDF document text
    • https://cdn.sqhk.co/gabebutiz/ibijcjc/lebaran_2021_kalender.pdfIn PDF document text
    • https://raxopukefafifi.weebly.com/uploads/1/3/2/6/132695755/232970.pdfIn PDF document text
    • https://cdn.sqhk.co/gutifusuf/dEgdicG/67637153940.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/levovod/sql_server_developer_tutorial.pdfIn PDF document text
    • http://fufabufitilaf.epizy.com/easy_snacks_recipes_in_tamil.pdfIn PDF document text
    • https://s3.amazonaws.com/jewizopukuni/zedawoburogedezo.pdfIn PDF document text
    • http://laxozoz.epizy.com/price_of_rabbit_hole_bourbon.pdfIn PDF document text
    • https://d6d3a1c5-32ce-46e9-ae92-c5b8d84d65d9.filesusr.com/ugd/a3b54b_f26eaf5256ad4c7582572ba5eae222b4.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/varoximu/windows_keyboard_shortcuts_vs_mac.pdfIn PDF document text
    • https://s3.amazonaws.com/gixawetopoli/xulezid.pdfIn PDF document text
    • http://zivumimilalak.rf.gd/bruchrechnen_addition_aufgaben.pdfIn PDF document text
    • http://kipurifer.epizy.com/atropina_vida_media.pdfIn PDF document text
    • https://s3.amazonaws.com/runuzitexokol/wojorifu.pdfIn PDF document text
    • https://s3.amazonaws.com/vonusirukete/vet_assistant_school_near_me.pdfIn PDF document text
    • https://e082b6be-64c0-45f6-a8ff-82b9c6f476f0.filesusr.com/ugd/1479de_0e7b8e22ffc44b06b6b4637a111480b4.pdf?index=trueIn PDF document text
    • https://181f3bdf-810f-4c34-abb3-9f3362228cd6.filesusr.com/ugd/30415f_8369adb95c46480a8c2cd4ec1ec2aa1a.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/donake/original_xbox_emulator_for_android.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012034.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12034 4868 bytes
SHA-256: 6bce43f92ba1c9f4adfb01209abd8c49035f446443322feb2df169d86fc0af97
font_01_sfnt_off000130cf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x130CF 11400 bytes
SHA-256: 45b62a1010b8024f3b03d8f1faf8481a8ca74830a1d3327aee036e5a8a867c8b

Open this report in the interactive analyzer, or submit your own file for analysis.