Malicious PDF — malware analysis report

Static analysis result for SHA-256 01cdf2ac47b8459e…

MALICIOUS

PDF

84.2 KB Created: 2021-04-08 00:30:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16
MD5: 99b9dddf2bf6b507ed1a9bb66d2a59fd SHA-1: 972ce40bf5160371965205e099ac1b4e6316b5a8 SHA-256: 01cdf2ac47b8459e9f008e4ca19aa2c979bde1bac27cbcf918f56683d39ac16f
304 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains multiple heuristics indicating malicious intent, including links to known malicious redirectors and a link farm on disposable hosting. The document body, though partially obfuscated, contains text related to 'kidde alarm' and references to 'cmd_commands_windows_7_hacks.pdf', suggesting a lure to trick users into clicking malicious links. The presence of embedded URLs and the ML classifier's high confidence score further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=why+does+my+kidde+alarm+keep+beeping In PDF document text
    • http://prizinsta365.website/87818470891a8ayv.pdfIn PDF document text
    • https://cdn.sqhk.co/futipujorup/jihOxAI/quiz_logo_game_answers_level_france_4.pdfIn PDF document text
    • http://lunesygets.xyz/polar_bear_population_increasing_201845u1e.pdfIn PDF document text
    • https://vonazevuza.weebly.com/uploads/1/3/4/6/134603973/toburopuvemuj.pdfIn PDF document text
    • https://zadukali.weebly.com/uploads/1/3/5/3/135340438/xaviwexuwu_natoregekaga_tugudaburuso_wofus.pdfIn PDF document text
    • http://mexicotop.xyz/what_do_the_colors_of_friendship_bracelets_meanbh2dk.pdfIn PDF document text
    • https://cdn.sqhk.co/dowepigakaw/rjhoMZT/dojojigo.pdfIn PDF document text
    • http://bilkaita.space/how_to_apply_hair_color_properlyx0c2n.pdfIn PDF document text
    • http://motivawka.online/80395716972px5po.pdfIn PDF document text
    • https://cdn.sqhk.co/vetedaxuzele/iehcjgd/kilelukevexolodiz.pdfIn PDF document text
    • http://prizinsta365.websiteIn macro / runtime command snippet
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/da48d79f-f2e9-4d64-9161-98e2f5ca59b6/cmd_commands_windows_7_hacks.pdfIn PDF document text
    • https://0ccb9a81-bd3c-41bd-bc79-2352350f0e5e.filesusr.com/ugd/95ea6b_6a16913023d644da9d136ff71f7303fb.pdf?index=trueIn macro / runtime command snippet
    • https://uploads.strikinglycdn.com/files/2f298673-0852-49f5-8a4e-922e5678cbde/joremuxaxuzijajuxinet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/38a30baa-8744-438c-95c8-252cfb6bc517/65386156951.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/054ef6f7-f0a5-46ff-ba42-5bc273b2ece4/legipefolofa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0d29b41e-6006-4e3a-b8c5-fa389527fb0c/ruger_sr9c_size_comparison.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/adbcf30d-75f7-4220-b4f2-29e0f93a7ea6/what_is_the_message_of_cloud_atlas.pdfIn PDF document text
    • https://71e5fc8e-cc9a-4633-96c3-2c70acd464d0.filesusr.com/ugd/f08e01_998561e18f26490c941f305a79803eb9.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/90164131-a23f-4321-b8a1-66d8db88c5b1/8006321515.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0d74ca58-d5f2-4821-86ba-48ec92b73294/how_to_remove_pimple_and_dark_spots_overnight.pdfIn PDF document text
    • https://6b2f37ea-3696-4b87-858b-663c379f6f6f.filesusr.com/ugd/16879a_5c40d9598546419eb64244af17dabbb5.pdf?index=trueIn PDF document text
    • https://5bf49506-6ef1-42f8-8f90-7e3689255fd3.filesusr.com/ugd/8fe1bf_1391ed7731f2402d848d1f3658c36ba5.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000109dc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x109DC 5692 bytes
SHA-256: 7abbfbce74f6f346279142649bb16235fb6e556f9783159e14563b437f57a935
font_01_sfnt_off00011d1f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11D1F 10776 bytes
SHA-256: 1dac8835a568405bdb1a6a5620a6db21e38aa4d9bc71c304aea75f1364de4ec5

Open this report in the interactive analyzer, or submit your own file for analysis.