Malicious PDF — malware analysis report

Static analysis result for SHA-256 f359a71e29cbe022…

MALICIOUS

PDF

76.4 KB Created: 2021-06-09 21:41:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: e82787ac5f49ac324b05761ef2671dcd SHA-1: c65e7a515a4ddbeb062d42cd354b7cccd11c6816 SHA-256: f359a71e29cbe022d0c4b97ebe59859543be4f38f066883aa154583ac9b70bc3
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to disposable domains, suggesting a link farm or SEO manipulation tactic. One URL, https://coretry.ru/pbw?utm_term=filmora+for+pc+mod, is flagged as unknown and is likely part of the malicious infrastructure. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/pbw?utm_term=filmora+for+pc+mod PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4418379/normal_6037a6f327b54.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4423154/normal_5fd6d2497737b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421330/normal_605c951feabf9.pdfIn PDF document text
    • https://tutuludoj.weebly.com/uploads/1/3/0/8/130874598/mapawefijit_bixiwuxelifa.pdfIn PDF document text
    • https://lijemokuw.weebly.com/uploads/1/3/4/8/134853622/bb326208dbec76d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4502246/normal_6069fbee223d6.pdfIn PDF document text
    • https://moremutinujiti.weebly.com/uploads/1/3/4/8/134865562/borepavuvumujibisan.pdfIn PDF document text
    • https://somalinoduka.weebly.com/uploads/1/3/5/3/135392385/baneteruj-tafabujalo-botiligejefun-gumiruje.pdfIn PDF document text
    • https://static.s123-cdn-static-d.com/uploads/4393018/normal_60b1b575da34f.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/6d25c672-d7ec-4345-b8d6-30fe79e22572/foodsaver_v3880_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/14fe3877-9539-436f-94f5-40f7fe7a78c5/how_to_get_waves_with_comb_thru_texturizer.pdfIn PDF document text
    • http://lekuzax.pbworks.com/f/53864440798.pdfIn PDF document text
    • http://xutosop.pbworks.com/f/30972864001.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e94cde49-8326-4367-9ea1-e063990ba484/what_does_business_line_of_credit_mean.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8e2d0dfe-f220-416c-9b38-9a6a6077531f/kuvotipibufojixakosudi.pdfIn PDF document text
    • http://lexibitite.pbworks.com/f/21813930658.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/947fdd8a-6756-4b31-85c8-b04f48057e80/29678226620.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/077a70aa-3cd1-4141-bf9c-724a191edfcb/60030408499.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/77b0334b-2d68-4465-8e4a-c7c0f20aaa24/1131313628.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4dde8e76-0772-4699-8274-74fb17565a4d/why_does_my_vizio_tv_have_a_blank_screen.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d9644636-bb92-4a5d-9358-c6ec4490e2ad/triangle_worksheet_7th_grade.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/783d0df5-cc82-478d-965c-c01ba371072c/vizio_sound_bar_remote_code_comcast_x1.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f83e48a2-8ce1-40df-bd2d-397abad2f8b4/pewex.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e36a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE36A 5080 bytes
SHA-256: 03fc705d2f5ab288199905416c153af0ae5aef9b60fd54629c66026ee5fcd413
font_01_sfnt_off0000f49c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF49C 21552 bytes
SHA-256: f52771c7be503924e1c4f4691b39e98c6d2274650b51e1d9c49858d7ddc45c38