Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1d2e7d69f7e29b2…

MALICIOUS

PDF

89.0 KB Created: 2021-03-14 02:43:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-28
MD5: 3c55c1da7b3e15a139b2e5ff769a86b8 SHA-1: 68bb5cf887b874a6bbc392c4f9e9da28e136ab64 SHA-256: f1d2e7d69f7e29b2e0fe614e4a9c38e184b6b76f3d123470a96cfc4c856dd509
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains numerous links, many pointing to disposable hosting, and one critical link to a known malicious redirector. The document body, though heavily obfuscated, appears to be a lure related to a Maytag washing machine issue. The presence of a malicious redirector and the link farm structure strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/wb?keyword=my%20maytag%20washing%20machine%20is%20not%20draining In PDF document text
    • https://cdn.sqhk.co/rowavarop/jfghaig/linen_closet_cabinet.pdfIn PDF document text
    • https://cdn.sqhk.co/jojikoxazew/giiahp4/metal_slug_defense_apk_mod_ilimitado.pdfIn PDF document text
    • https://cdn.sqhk.co/mibemofega/BVhbte4/towexerirabomodesoje.pdfIn PDF document text
    • https://cdn.sqhk.co/dafibuxoki/hhhhhd5/zutetudarugexa.pdfIn PDF document text
    • https://cdn.sqhk.co/kupujape/hiTggHF/stickman_free_fire_survival_battleground.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://729282ec-1290-4cbc-9302-cf8a24acd4c7.filesusr.com/ugd/42c189_ee11c3d2cff0438ca2fe7e59fd9baf2a.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/bidivo/business_card_vector_design_free.pdfIn PDF document text
    • https://da99f664-88c7-4a27-98aa-0bbcec2e8f57.filesusr.com/ugd/66f3f9_ed3d820551294c179f668a269152c060.pdf?index=trueIn PDF document text
    • https://907864b8-ab38-4b43-b195-7646ee37c451.filesusr.com/ugd/c4b402_5e006143e09a48678b54778564a42bf9.pdf?index=trueIn PDF document text
    • https://b01ec662-dec5-4f54-b977-8708717d6054.filesusr.com/ugd/07e02c_f55304fd7372417b9c74699789eabc22.pdf?index=trueIn PDF document text
    • https://9849c7ec-8b19-4b81-9a64-db2537ea7c40.filesusr.com/ugd/97b1c0_c9b03f590e164475aa4542d748c338d3.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/pulujolatepuv/format_umsatzsteuer_id_belgien.pdfIn PDF document text
    • https://s3.amazonaws.com/wujodibu/online_news_article_apa_format.pdfIn PDF document text
    • https://6e229dea-1f83-4be8-8cd3-388eabd4f5e3.filesusr.com/ugd/1cfe37_af8c58db343f4175b9977c89e2ef938f.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/padanivozeb/vepupaboxewesexozuvazaraj.pdfIn PDF document text
    • https://14535e1a-360a-4d01-a655-fa33e115c80e.filesusr.com/ugd/b222ea_23d0d7b458164fb19f40a9e257ac7024.pdf?index=trueIn PDF document text
    • https://3064a0a7-8496-4b95-be1e-56094aee372f.filesusr.com/ugd/0cf4b9_e059495fc8464bf5ba5cec39352a640b.pdf?index=trueIn PDF document text
    • https://3f5765b5-411c-4b28-96d1-a1e3b219bcee.filesusr.com/ugd/ca847e_d5f74f544cf94489958761b3ba342165.pdf?index=trueIn PDF document text
    • https://eaae50f7-3b1c-4f1b-9b3c-e2a48377569d.filesusr.com/ugd/b96e41_e9bfe8ecd1204df1a3a3e61bbdaa0025.pdf?index=trueIn PDF document text
    • https://e5eb5b25-b33c-43e3-82d5-57ab1bf863d8.filesusr.com/ugd/b0c717_8c5ffd6598434d6da256788b7f61fbf8.pdf?index=trueIn PDF document text
    • https://0f285ee0-1b14-49a2-8a3e-060a2db94812.filesusr.com/ugd/4bf67f_f4c93ca0b8c44da08018a756185791ec.pdf?index=trueIn PDF document text
    • https://917ed8d3-8a9f-4c5c-a3ad-554e533308ad.filesusr.com/ugd/a4e402_a8fcf5c5831d488eaf3bf65d0b6e0973.pdf?index=trueIn PDF document text
    • https://59bb578d-b312-442a-858b-1a1a54b18a6c.filesusr.com/ugd/c79b1c_de0228718d1742df880a8d97def27621.pdf?index=trueIn PDF document text
    • https://a97cc435-ef8e-4ffb-8544-4b9c0bda5a6e.filesusr.com/ugd/7ab440_a91d72a344524636ab79dcaf35b6dcb5.pdf?index=trueIn PDF document text
    • https://0eb00d84-361a-45dc-b346-1af5c8eb785c.filesusr.com/ugd/d79848_bebc43812c3e4c10996cc51a12a09aeb.pdf?index=trueIn PDF document text
    • https://8271b8e8-1520-4b18-8785-2fafc8cd33e6.filesusr.com/ugd/efc97f_6e297b501dc240718cb0d54fc25c4e0b.pdf?index=trueIn PDF document text
    • https://1a6c606f-1efd-495f-9370-57f425d809fd.filesusr.com/ugd/1be480_b652b4a644954463853bee618f911240.pdf?index=trueIn PDF document text
    • https://b00f38ea-0d13-4519-ab0f-1253f0d03ca0.filesusr.com/ugd/289c5e_9332159918a947f5813454686b1e87a8.pdf?index=trueIn PDF document text
    • https://af8e4364-7f8a-45ec-af3e-d69da1c27fbb.filesusr.com/ugd/12c36c_296b7a8daf7943df8408a95e41e798d0.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011d89.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11D89 5520 bytes
SHA-256: b2ca1e73d8554018facd3be9002fa611921184c2d4c7d36fc8198a0a01edf8ac
font_01_sfnt_off00013041.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13041 11108 bytes
SHA-256: 524ce1edc30d4f1ec04e999be13de9b8d4ec22accbac4cea376128a54ca217e7

Open this report in the interactive analyzer, or submit your own file for analysis.