Malicious PDF — malware analysis report

Static analysis result for SHA-256 00e01c9ebad8a4b0…

MALICIOUS

PDF

69.0 KB Created: 2021-09-13 18:28:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 04498fdb9da5c160464164ebfd56f3e3 SHA-1: bf23e559e34f26c2edca5f2ebb6115d83ead709e SHA-256: 00e01c9ebad8a4b09ddab82910a2cf360ef4358eb30a0ff0cff0541d2c3716fe
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded URLs, many of which point to disposable hosting and are part of a link farm, as indicated by the PDF_SEO_DISPOSABLE_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly suggest malicious intent, likely for phishing or distributing further malware. While no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a malicious lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/uplcv?utm_term=android+bootloader+download
    • https://digireg.dk/upload/33702465279.pdf
    • http://paliukenas.lt/i/File/wulinowosanugunipezirasig.pdf
    • http://tribo.kz/userfiles/File/nurogokikobabelodifa.pdf
    • https://esterkins.de/ckfinder/userfiles/files/41600864756.pdf
    • https://magicdiscoradio.com/userfiles/file/mikominokem.pdf
    • https://stl-log.com/htdocs/cljr/data/files/gosukoxiburoxewepuwib.pdf
    • http://novafish.it/userfiles/files/wamozigubisonili.pdf
    • http://klawiatury-foliowe.pl/_data/file/ribam.pdf
    • http://pferdefreunde-brueckenhof.de/sites/default/files/userfiles/file/37443983146.pdf
    • https://bomberosdenavarra.com/userfiles_nexo/files/69073286131.pdf
    • http://wu-pao.com/upfiles/editor/files/dopit.pdf
    • https://rumusjitu.com/contents/files/14207375431.pdf
    • http://iphonedown.com/ckfinder/userfiles/files/42675224812.pdf
    • https://a-1commercialkitchenservices.com/ckfinder/userfiles/files/bikaperoworajok.pdf
    • http://yuanhebiotech.com/upload/files/61830326310.pdf
    • http://www.gobarging.com/uploads/textareas/file/wagigixalumubaniwojoz.pdf
    • http://thuexedanang247.com/uploads/image/files/xekuvasupofuguzizutudega.pdf
    • http://md-servicios.com/userfiles/file/34888225887.pdf
    • https://haruhonpo.com/upload/haruhonpo/files/22749737400.pdf
    • https://turkeyinsurance.info/images/file/vopelekuvudupap.pdf
    • https://suhrsmad.dk/wp-content/plugins/formcraft/file-upload/server/content/files/1613ecafa51756---80785168355.pdf
    • https://hotnewsmd.deca.md/upload/userfiles/files/niramevevexona.pdf
    • https://brihat-group.com/assets/userfiles/files/69561163605.pdf
    • https://christianbelieversmatrimony.com/web/christiansbelieversmatrimony/photos/ckeditor/files/mowove.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b2e7.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB2E7 16792 bytes
font_01_sfnt_off0000caf9.bin
1b44bff10e7afb226b46bbc4da756d30584f28d7dd69c6a4842937b0db16796f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCAF9 14460 bytes
font_02_sfnt_off0000ef07.bin
b090d86b516bfd05f6c72d68616825e0cfb978d74c877a8d7e3d1e8e87020d4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF07 10280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.