Malicious PDF — malware analysis report

Static analysis result for SHA-256 f92d48d07346f2e8…

MALICIOUS

PDF

75.8 KB Created: 2021-05-17 05:45:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 53437df3e6d0d0a958df0c49c24fe673 SHA-1: aea4f64d99bfe685e56a98d58a1738102a297622 SHA-256: f92d48d07346f2e81ba0ece1b2a44891da6bd22233227b0fb3a83b06bf5db6c0
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded URLs, with one specifically flagged as a random, algorithmically-generated link to 'kungfumalibu.com'. Another URL, 'golowaki.ru', appears to be part of a phishing lure related to 'Comcast cable not working'. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=comcast+cable+not+working+ref+code+s0a00 PDF link annotation
    • http://technodom11.com/minecraft_survival_island_seeds_1.14.1srhm5.pdfIn PDF document text
    • http://ganeruk.iblogger.org/23204482542.pdfIn PDF document text
    • http://kungfumalibu.com/tobigazubakutomupafesefusnsowk.pdfIn PDF document text
    • http://b2b-servis.ru/jexopofemifeveraguv8b1q1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446942/normal_600e6df3f09f2.pdfIn PDF document text
    • http://xawegap.mywebcommunity.org/que_organos_conforman_el_sistema_circulatorio_del_ser_humano.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4466664/normal_6009f4f7c2983.pdfIn PDF document text
    • http://bikokobolo.sportsontheweb.net/asset_management_system_documentation.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4392656/normal_6047ab4d2aeb5.pdfIn PDF document text
    • http://wotaxatumumodok.sportsontheweb.net/zmodo_h.264_16_channel_dvr.pdfIn PDF document text
    • http://rapegupuv.iblogger.org/wilinitexejajagujiro.pdfIn PDF document text
    • http://mozobadijoba.medianewsonline.com/bofavonumasupiku.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://dopovis.myartsonline.com/78881180319.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2bac9a51-ade5-4159-a142-dc184b6391c8/delonghi_portable_air_conditioner_with_heat_pump_reviews.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a8db746-ddfa-4935-b8f2-3408e693c02e/pugilonemazitudukigeweja.pdfIn PDF document text
    • http://lanosebezazov.onlinewebshop.net/sexepaxis.pdfIn PDF document text
    • http://jeneviwa.epizy.com/49506185741.pdfIn PDF document text
    • http://dijaduluka.epizy.com/site_pour_telecharger_les_journaux_algeriens.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf869feb-c85c-4b93-8524-6d7abdb8b898/kemabaz.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb5f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB5F 5684 bytes
SHA-256: b7d2539c5d847db53452926694e9eb80d8ab887cb99b8f8cda58909dd4cbd4d6
font_01_sfnt_off0000fea6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFEA6 10416 bytes
SHA-256: 29289870a7db4a7820000d67b0a9a33ba81c7f50f04364cbd38a0b1281e97ace