Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe118e0f05a9be94…

MALICIOUS

PDF

82.4 KB Created: 2021-03-29 11:10:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4f42f807bd5cd5d2df343372e7153502 SHA-1: 40f36bc2782b37b14197a49e6069f349b854ddc7 SHA-256: fe118e0f05a9be94c03bdbdbfd7a72e568205fd88cffe14e8c02cf318df9d562
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged by ClamAV as Pdf.Phishing.Trojan and ML classifiers. It contains an embedded URI pointing to 'baarspo.ru', which is likely a malicious domain used for phishing or distributing further payloads. The PDF's structure and embedded links suggest it's part of a link farm designed to obscure the ultimate destination.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=magickal+cashbook+damon+brand+pdf
    • https://cdn-cms.f-static.net/uploads/4403543/normal_601dcc69bf790.pdf
    • http://kevekozulanilim.sportsontheweb.net/bpsc_answer_key_download.pdf
    • https://cdn-cms.f-static.net/uploads/4370062/normal_6030027a4d066.pdf
    • http://worelimupuvefam.mywebcommunity.org/76826867802.pdf
    • https://static.s123-cdn-static.com/uploads/4411481/normal_5fca587d37fbe.pdf
    • http://betegozoneseje.iblogger.org/labeled_map_of_africa.pdf
    • https://static.s123-cdn-static.com/uploads/4490266/normal_5fc6b5e3dff51.pdf
    • https://cdn.sqhk.co/mibupufek/ijupxv7/burnout_masters_game_best_engine.pdf
    • http://tokigarodam.22web.org/84978720010.pdf
    • http://folejaf.mypressonline.com/japan_calendar_2020_holidays.pdf
    • http://fuxutigox.mypressonline.com/47183266956.pdf
    • https://cdn.sqhk.co/tuwetebep/algigbQ/dominican_hair_salons_open_today.pdf
    • https://static.s123-cdn-static.com/uploads/4495254/normal_5ff14b801ec3f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a973606e-c233-420e-9467-b8ce71962c10/charlie_and_the_chocolate_factory_lines.pdf
    • http://tijiwef.epizy.com/kung_fu_girl_riesling_tech_sheet.pdf
    • https://0f3c41ac-de96-4ba7-a517-026d7435d592.filesusr.com/ugd/8631de_e0d068e6ad094b2aab4261f102a2fb83.pdf?index=true
    • https://uploads.strikinglycdn.com/files/05d59eb9-1057-454a-98d8-a5560808650d/68125194709.pdf
    • https://7be8961d-effb-4c78-a255-78c3c9f0be09.filesusr.com/ugd/3dd68e_91953835f1174d8d9954135b745434f2.pdf?index=true
    • http://wuvasof.epizy.com/828545141.pdf
    • https://uploads.strikinglycdn.com/files/00d60aea-1d8a-492b-b9a9-bcac4d038bb3/statistics_for_management_and_economics_11th_edition_download.pdf
    • https://uploads.strikinglycdn.com/files/2700d57c-9e50-422f-8418-76503d92ea68/25224272031.pdf
    • https://f64a1a0a-debf-4843-a838-a34c0cae0f4a.filesusr.com/ugd/89602e_df305bb3c61145da8ec2796030872d9c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/aeb127b8-49a4-4a20-b425-8498c381642a/jodemaj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001030b.bin
5c092af41071d4f73aa876c4698813e5fccddf628966cc5866df9c466568ff9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1030B 5776 bytes
font_01_sfnt_off00011699.bin
c538afcc83d513402cc8eb1c654fb940be9b421ca29ccedd6c690beb295af0f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11699 10916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.