Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1d6738e0f49b174…

MALICIOUS

PDF

78.1 KB Created: 2021-04-07 20:31:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-13
MD5: 1f5b7f78d95230a59f5f82383e7cffa1 SHA-1: 08d81e1c59dec63dde3a18f728ae784cee813a7a SHA-256: f1d6738e0f49b174539f04fa11778b4641854a2685f97416a1c7f7de51e8cd99
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics, including a critical ClamAV detection and an ML classifier. It contains numerous external links, forming a link farm, and uses a redirector URL (https://mezovuduw.ru/123?utm_term=analytics+report+sample) to disguise the true nature of the download, which appears to be a phishing attempt for malware. The document body is heavily obfuscated, preventing a clear understanding of its direct content, but the heuristics strongly indicate a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/123?utm_term=analytics+report+sample PDF link annotation
    • http://makasef.22web.org/algorithme_exercice_corrig_1ere_anne.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4482882/normal_5fc5bf19c3e34.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4447263/normal_5ff758c14381e.pdfIn PDF document text
    • https://pusesame.weebly.com/uploads/1/3/4/6/134662227/6286585.pdfIn PDF document text
    • https://zadukali.weebly.com/uploads/1/3/5/3/135340438/6398012.pdfIn PDF document text
    • https://wafitaweligu.weebly.com/uploads/1/3/4/5/134587259/kuzadosave_tavawivakuliva_naxixewavetore_loverenokavejed.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4463262/normal_602b518aa84be.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4446635/normal_5ffa3b8e92a9f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4417670/normal_5fc793789c934.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4454302/normal_60089f67cacfb.pdfIn PDF document text
    • http://lugemeba.iblogger.org/dell_latitude_e6410_keys_not_working.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4486356/normal_6013a192b4b3c.pdfIn PDF document text
    • https://pazodozonevaken.weebly.com/uploads/1/3/4/6/134606284/60ebaed488e0f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407318/normal_602d1cb2ef6df.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://869e45c2-9c2d-410b-ad52-4d3411d41339.filesusr.com/ugd/73bd41_4ba7df6647d048bb9be203768031b401.pdf?index=trueIn PDF document text
    • http://rotitow.rf.gd/cabala_do_dinheiro_gratis.pdfIn PDF document text
    • https://33c7e2ec-32fc-4676-a642-9d95a4379e01.filesusr.com/ugd/622218_93abf423917d4674905438a51c70a1da.pdf?index=trueIn PDF document text
    • https://f3c4034a-4a94-4c47-b6c5-0445626d7bf8.filesusr.com/ugd/655f09_aa0960086b754504beac1bd1d858910b.pdf?index=trueIn PDF document text
    • https://7893bdd6-41e4-48f6-9953-3a636dfb5d61.filesusr.com/ugd/c5c63b_8ad76690726b4cf2a87261b939f1f8e1.pdf?index=trueIn PDF document text
    • https://4bd9ed84-c80b-4837-bb2f-b1353ebfd8aa.filesusr.com/ugd/5a1791_ef2a92840e094a47b73e2d95e03fb707.pdf?index=trueIn PDF document text
    • https://22fea36a-5e19-4af1-b4aa-fe6e1efe0ee9.filesusr.com/ugd/b5a188_97155ded1e04499788cb6f8227438b37.pdf?index=trueIn PDF document text
    • https://49432a94-54bc-4d13-9d12-ea41d731e1b8.filesusr.com/ugd/a7c689_5542b4b6de644e21a5520d4a9aa9966e.pdf?index=trueIn PDF document text
    • https://5548a280-a194-4776-8019-0e256783c1fa.filesusr.com/ugd/f2c1dc_3a6679e5f40d4fb0829ecb770b3b1d08.pdf?index=trueIn PDF document text
    • https://cfecb619-c0f5-418d-ae9d-b1147643389f.filesusr.com/ugd/4cd51e_1b1ab8e9a4094462ad916d57ade1fd70.pdf?index=trueIn PDF document text
    • http://gotewadale.epizy.com/90285721875.pdfIn PDF document text
    • https://d1ee23ee-9ccf-45b0-80ef-1e1ff1f657c4.filesusr.com/ugd/9ef0c3_a76b1e80ae164ef78eb5ade5b6a6a1eb.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f357.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF357 5172 bytes
SHA-256: 4bd6d4d7fb5b28bc9bd5e26589b3cb7e801ca5f76f9d95287da4707298990212
font_01_sfnt_off000104e1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x104E1 11200 bytes
SHA-256: 6e972324d69c9ad320fa3e93954a25f9302c4e5cfd8e740eefe9e667275bf884