Malicious PDF — malware analysis report

Static analysis result for SHA-256 01ad3574e0405d8e…

MALICIOUS

PDF

58.4 KB Created: 2021-06-05 23:40:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: a18d2a84ee0eda1e46430770d3370130 SHA-1: 445fba92f6f70f6532c5ece0b54b2b15e67acdc2 SHA-256: 01ad3574e0405d8e74713564e7e5717319bde50f9d68206e5164fd4047fb17dd
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous embedded links, many pointing to disposable hosting services, and one specifically to 'pistant.ru' with a suspicious query parameter. Heuristics indicate this is a link farm designed to redirect users, and ClamAV detection confirms it as a phishing trojan. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create malicious PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6078

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/pbw?utm_term=what+is+islam+view+of+salvation PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4376869/normal_605f31ae46226.pdfIn PDF document text
    • https://vudizexifaret.weebly.com/uploads/1/3/4/3/134314381/bojiw_rutusuji_dulobefiw_giborativuzizaj.pdfIn PDF document text
    • https://kebakiwaranug.weebly.com/uploads/1/3/4/3/134317860/7cab4c46a3.pdfIn PDF document text
    • https://kemodiduwe.weebly.com/uploads/1/3/4/2/134235489/lokeke.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414501/normal_60560e3a16e8c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4388165/normal_6003679264eba.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4447280/normal_5fe485e27881e.pdfIn PDF document text
    • https://gomufutezenufi.weebly.com/uploads/1/3/4/6/134677359/tusubo-javiran-guronebitozat.pdfIn PDF document text
    • https://kuzasafeg.weebly.com/uploads/1/3/4/5/134586407/0c5b9b574876b05.pdfIn PDF document text
    • https://kawikixefi.weebly.com/uploads/1/3/5/3/135388441/ba23743763b6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408485/normal_602149346e76e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4418175/normal_606293c5607df.pdfIn PDF document text
    • https://kigimijufofudiv.weebly.com/uploads/1/3/5/9/135977026/pirekajufojuz.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4409621/normal_5fefffd03a058.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/97de3d4b-9456-48b6-ab76-473330c9e913/gogomalo.pdfIn PDF document text
    • http://mujefapufefi.pbworks.com/f/congressional_committees_questions_worksheet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/255885aa-f97c-469f-ae4d-4bfe0e66c87a/actividades_generos_literarios.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/42e4fa08-3397-46e7-94a1-659dda0ba7ac/30405753755.pdfIn PDF document text
    • http://pudamalulera.pbworks.com/f/ouk_oyunu_indir_bedava.pdfIn PDF document text
    • http://giribuv.pbworks.com/w/file/fetch/144596520/31882169100.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/30da4d7b-2355-466d-b8c9-346ff4df71a8/the_riveras_season_4.pdfIn PDF document text
    • http://jifesepapo.pbworks.com/w/file/fetch/144557658/how_to_find_your_best_friends_list_on_snapchat_2020.pdfIn PDF document text