Malicious PDF — malware analysis report

Static analysis result for SHA-256 f293b163ca340f18…

MALICIOUS

PDF

85.5 KB Created: 2021-04-19 03:21:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 927b512ce6e5b0d8546f49626e2a368d SHA-1: ba7ea8ae34d6d174e78f3bb52e6d1ae0bf9f7777 SHA-256: f293b163ca340f18a996fc40237ebb209da2818050a99ea7c90e88b167968208
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of external links, many pointing to disposable domains, suggesting a link farm or SEO manipulation tactic. The presence of a ClamAV detection for 'Pdf.Phishing.Trojan' and a high ML classifier score further indicate malicious intent. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and a date, suggesting it was generated programmatically to appear as search results for 'warcraft 2'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=when+does+warcraft+2+come+out
    • https://nipixejewawowe.weebly.com/uploads/1/3/0/8/130874539/moxesare.pdf
    • https://movabeze.weebly.com/uploads/1/3/0/8/130814110/2370580.pdf
    • http://tezibif.mygamesonline.org/dobunagaxozakebunorin.pdf
    • http://gubixazolela.sportsontheweb.net/addition_subtraction_of_fractions.pdf
    • http://stnold.com/andrew_cardwell_rsi_course13m2i.pdf
    • http://luchdobro.site/how_much_cost_to_fix_air_conditioner_in_cark2gk4.pdf
    • http://magic-spring.com/jaxegevebozudamago3hyq.pdf
    • https://zodemabu.weebly.com/uploads/1/3/4/8/134896511/pitibosuxizena.pdf
    • http://pogawubujogeje.mypressonline.com/36049926206.pdf
    • https://bapamebitisetup.weebly.com/uploads/1/3/4/3/134325238/dimebetorixonil_velix_jorosodoxud.pdf
    • http://nejupike.mygamesonline.org/cyberpunk_2077_ps4_patch_1.06_size.pdf
    • https://rarejiwu.weebly.com/uploads/1/3/1/6/131606055/lidixazupuxofe.pdf
    • http://ewop.space/24475595566oewaf.pdf
    • https://lerorenoj.weebly.com/uploads/1/3/5/3/135390996/1b408346499be7.pdf
    • http://hermidkovo.info/control_systems_engineering_pe_exam_review_courseobjiv.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://92923600-264c-4cb8-9d87-181083d4f0d6.filesusr.com/ugd/0bf43f_2d070c5f8a9c4fe181c9ebf36ccf21a4.pdf?index=true
    • https://s3.amazonaws.com/didowugorokirug/mipikevebi.pdf
    • https://de99c131-68bf-4271-bcef-cda292486844.filesusr.com/ugd/f5892c_33dd538cd52844d28d66e78a0f230cd3.pdf?index=true
    • https://s3.amazonaws.com/julexekubaj/ladapogufuxevoponidag.pdf
    • https://s3.amazonaws.com/toliwudalamem/xamenagudo.pdf
    • https://99470c7d-c692-4648-a7b8-36ea19db2883.filesusr.com/ugd/ab059d_17ca60686d9b4a80b6108bec23c235e4.pdf?index=true
    • https://f8071fb1-33dc-4bb9-9fe9-292e0ca0d861.filesusr.com/ugd/253000_5ac4504c17c645d4bee2ca3c1cd0e0ae.pdf?index=true
    • https://s3.amazonaws.com/wakuzidi/bakewuvijuzugagenipe.pdf
    • https://s3.amazonaws.com/vajefam/complete_metamorphosis_vs_incomplete_metamorphosis_worksheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ffa5.bin
379dff97856f61f53ee1623393ac53522dad09fe0febd586810aa19cf4249dad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFA5 5300 bytes
font_01_sfnt_off0001118c.bin
f8a8fef5f5ef784de8cd37fc4a821438f1ea9048f13dbf12ca8a28446af85a7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1118C 11360 bytes
font_02_sfnt_off00013836.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13836 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.