Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1302a049298c13b…

MALICIOUS

PDF

85.9 KB Created: 2021-04-08 20:28:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: 05512015c6fbda2603e9a787521810b7 SHA-1: 545380001c4a0b38ed741b5f18f1faae1ef7f076 SHA-256: f1302a049298c13ba0641e1485e8c73cee24eef3857d58673ad5f7189e8411ee
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=how+to+make+dominos+garlic+parmesan+white+sauce PDF link annotation
    • https://cdn.sqhk.co/jusulikipe/ojhAhyr/mini_manager_soccer_world_cup_perth.pdfIn PDF document text
    • https://cdn.sqhk.co/xivovido/hgUiigj/stack_blocks_3d_level_488.pdfIn PDF document text
    • http://zuviwadakaji.22web.org/migraine_news_reporter.pdfIn PDF document text
    • https://cdn.sqhk.co/wixexozesila/VOaiheY/wowogalorozas.pdfIn PDF document text
    • https://cdn.sqhk.co/bitomasijelo/bgfmqgi/war_thunder_warships_gameplay.pdfIn PDF document text
    • https://cdn.sqhk.co/lenawemijixe/FAdhbID/stickman_soccer_2014_hack.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://1b65b899-5fad-42bd-af9e-a3fb1d6a4c80.filesusr.com/ugd/a2ebd8_42f9fb7689354066a84fa4587f4e7ad8.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/a0ad9f6b-20a6-4ade-8171-44abf4b02454/leginexopuwumobatamum.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/293d7f59-0426-4eaf-ae0e-c3fcb0997403/soren_kierkegaard_either_or.pdfIn PDF document text
    • https://s3.amazonaws.com/zifozujiwi/beiimaan_love_movie_hd.pdfIn PDF document text
    • https://ff999131-262c-4f46-aa1e-84c50d3d9e43.filesusr.com/ugd/a474dd_a7e7735eac9b4cd88fe1649ed1439479.pdf?index=trueIn PDF document text
    • https://1b3e2d6a-0348-4772-9bb2-16e56a761455.filesusr.com/ugd/7bcf02_379a1ee8f79046fd805887498d9d279d.pdf?index=trueIn PDF document text
    • https://a161ff94-1a6f-4367-b6f8-8e513a5e676d.filesusr.com/ugd/4c7633_e8890d1a86f3404e9dc6bc308be0b23a.pdf?index=trueIn PDF document text
    • http://zaxokejik.rf.gd/44380163751.pdfIn PDF document text
    • https://s3.amazonaws.com/vikukinumet/1679651084.pdfIn PDF document text
    • https://s3.amazonaws.com/xupizewuxere/23482357129.pdfIn PDF document text
    • https://9539e3d7-93ad-434a-85ac-22bd9bdb82bb.filesusr.com/ugd/df7b34_6ea13f91245a418bac5b148dc5884fa8.pdf?index=trueIn PDF document text
    • https://b67fa923-03b4-4d21-b555-95ff628d7525.filesusr.com/ugd/1d4b90_e44dbff8570f4d42a6e63533c3c3689f.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5b311c9a-b1b9-4970-bca8-2175524afb5a/is_the_watsons_go_to_birmingham_on_disney_plus.pdfIn PDF document text
    • https://5057b38b-f250-4925-a5fd-2dbc054a2c1f.filesusr.com/ugd/25ee37_c2e2f823deee4a7e9fe95b9eb4c47989.pdf?index=trueIn PDF document text
    • https://318abaa7-a496-4882-a5ef-186b1d719b20.filesusr.com/ugd/ff2e65_9fc1927fc2614bdb97050675d25e8778.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/8f748b64-f24c-436c-9c53-3f8900ac8915/rivalozasi.pdfIn PDF document text
    • https://9f503c4c-bf14-4dcb-9a7a-68e0e5bb3568.filesusr.com/ugd/8ac1ab_ac2fd672e0da436ab960acab242f7d56.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/bagokiko/how_to_pass_dmv_written_test_2020.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fbab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFBAB 5604 bytes
SHA-256: 35b6bb6b2e48ec3ac7468d14c2ff3960bf5d543bfa78cf359ca66d8c1446ef35
font_01_sfnt_off00010e99.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E99 11092 bytes
SHA-256: c8438c5a4035622e29f547a52b3a53c75992e21a71ace45133b6ed605f35f477
font_02_sfnt_off00013456.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13456 16092 bytes
SHA-256: ea75db71c9df7250347a03039f742fcd189f5fc3f08964e696816fa8b5227073