Malicious PDF — malware analysis report

Static analysis result for SHA-256 f544b29a9085c158…

MALICIOUS

PDF

83.3 KB Created: 2021-09-17 22:20:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 8b5d5245357d5e3969660e87cf7037fc SHA-1: a37f3056569a2c0f36c4e199d4ce564082cf4c90 SHA-256: f544b29a9085c158b9f713cb882204ed99b6a9a1996b0a9bcfa4ff008363f63f
86 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF contains numerous embedded URLs, many of which point to disposable domains and are part of a link farm, suggesting a malicious intent to redirect users. The 'SE_ENABLE_LURE' heuristic indicates the document likely contains instructions to enable macros or editing, a common tactic for malware droppers. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 5

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/uplcv?utm_term=ad+blocker+magisk PDF link annotation
    • http://kbfrutos.sk/images/_file/jiwopixosutozorinan.pdfIn PDF document text
    • http://sallytour.com/FileData/ckfinder/files/20210915_3477BD015167C451.pdfIn PDF document text
    • http://www.stadion-zarya.ru/ckfinder/userfiles/files/41962619649.pdfIn PDF document text
    • http://abbeytraining.net/userfiles/file/75756088973.pdfIn PDF document text
    • https://takipcisec.com/calisma2/files/uploads/tewusepoboj.pdfIn PDF document text
    • http://jnmindia.com/outscapes/admin/ckeditor/uploads/ck/files/94284521820.pdfIn PDF document text
    • http://ipceurope.com/assets/file/pakodemivuguzufejuzogoja.pdfIn PDF document text
    • https://treasurehunterdetectors.solar-ovens.net/ckfinder/userfiles/files/dulizadasosoxalemupup.pdfIn PDF document text
    • http://minhphucvietnam.com/uploads/userfiles/file/visida.pdfIn PDF document text
    • http://crystaltrade.hu/data/file/3687519599.pdfIn PDF document text
    • http://versobrokers.eu/userfiles/files/33834588746.pdfIn PDF document text
    • https://tatsolarlight.com/uploads/files/xetatatasuvunax.pdfIn PDF document text
    • http://we-women.de/default/files/uploads/file/nedupojeritufexom.pdfIn PDF document text
    • http://tnslib.tools/userfiles/files/xibedasujarelogewejafo.pdfIn PDF document text
    • https://independentmusicleague.com/wp-content/plugins/super-forms/uploads/php/files/88670dbee380cd5a30ab0cb1997e5abe/fopekajuzigovumuf.pdfIn PDF document text
    • https://condicionamentofisico.com/arquivos/file/zutifovure.pdfIn PDF document text
    • http://lrm.mcdonalds.ua/ckfinder/userfiles/files/gezosukimi.pdfIn PDF document text
    • http://career-id.org/ckfinder/userfiles/files/bebowasegulajukukuxipipez.pdfIn PDF document text
    • https://ahha.az/userfiles/file/13631792789.pdfIn PDF document text
    • http://omniatel.it/wp-content/plugins/formcraft/file-upload/server/content/files/161307ba5824d6---87047937471.pdfIn PDF document text
    • http://verzorgingsindex.nl/images/uploads/62344484753.pdfIn PDF document text
    • https://tradingcall.in/ckfinder/userfiles/files/76700485671.pdfIn PDF document text
    • http://energywork.pl/userfiles/file/9288799828.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e248.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE248 10724 bytes
SHA-256: 11628a690892ff65068c1cabbeac3dc89d828074e9df0810965ce15ac95446cc
font_01_sfnt_off0000fab0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFAB0 17404 bytes
SHA-256: d58f75b093e63bcef5689a1d15275362163ce1a3d14f7828d0fdf43d3790a245
font_02_sfnt_off000127e2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x127E2 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1