Malicious PDF — malware analysis report

Static analysis result for SHA-256 07bd2a860cb804d1…

MALICIOUS

PDF

76.8 KB Created: 2021-05-16 16:54:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 00bea99f063c116a44079db7362d4137 SHA-1: 2decd44b5cfebd5a008ab075931ee82fb91f4e9c SHA-256: 07bd2a860cb804d191f5f2fefbe5bc53cad213d98929537d0c506315c2e2bd09
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that redirects to a suspicious domain, likely for phishing or malware distribution. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a pattern of using disposable hosting for link farms, further suggesting malicious intent. The ML classifier and ClamAV detection strongly indicate this PDF is malicious, likely a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/strik?utm_term=how+to+draw+process+flow+chart+in+excel PDF link annotation
    • http://scarcebook.com/42103466150bxrem.pdfIn PDF document text
    • http://about-central.com/75313527200lulb7.pdfIn PDF document text
    • http://premiumpornclips.com/veresema5l2un.pdfIn PDF document text
    • http://eroganoficial.site/21542026590tyal5.pdfIn PDF document text
    • http://myfirstsite.xyz/kisukaoo2oy.pdfIn PDF document text
    • http://baykamif.space/vexadotuberosuridadamaxoko6u.pdfIn PDF document text
    • http://iceteas.space/tigo_internacional_apkcrjbq.pdfIn PDF document text
    • https://cdn.sqhk.co/mogilirexexa/AgMoje4/beauty_salon_hair_salon_slogans.pdfIn PDF document text
    • https://cdn.sqhk.co/posojuvapono/UBhajfw/snes9x_apk_fire_tv.pdfIn PDF document text
    • http://ejqy.com/3152500887o4s9u.pdfIn PDF document text
    • http://christmas-gift.ru/why_we_cant_wait_quotesob99a.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://db6d3479-2aeb-4a59-914c-1f55c48648c8.filesusr.com/ugd/9f5433_791efcff33654cf4863235530500a0f9.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae83ab49-e5c9-410c-8035-da599205d7a1/what_is_the_gas_oil_mix_for_a_mcculloch_chainsaw.pdfIn PDF document text
    • https://b5b764bc-4fc6-48d7-9a4b-423a4d05f225.filesusr.com/ugd/3f2390_652490aa000b4d30add2c0efa49bc283.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/3b627e02-c19c-4324-8b39-25da7f0e3e68/inner_fish_summary_chapter_5.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a4563d24-5c4e-421e-9f50-727dd7d1f2da/koledirerilep.pdfIn PDF document text
    • https://39472683-7d43-4bc3-882b-0947a83fd973.filesusr.com/ugd/544c7e_15a1dedca8204c1fa8e1e3792a3251da.pdf?index=trueIn PDF document text
    • https://c534e673-b245-4a6d-8787-855fe96db707.filesusr.com/ugd/e19215_ac2f2af7af204896bebc1d398553d055.pdf?index=trueIn PDF document text
    • https://75ca6b5e-a470-4e0e-8004-b00a9f1721b4.filesusr.com/ugd/1e4819_f537aa26e2bd43b2ad311a500c066b0e.pdf?index=trueIn PDF document text
    • https://d046670e-94b8-4ea2-8efc-69fca9b502c9.filesusr.com/ugd/c0b427_01eb0d01b8994c7bbe8d49af1f5dee52.pdf?index=trueIn PDF document text
    • https://631ffb88-cf2d-4844-8d6b-9338a1b21cc5.filesusr.com/ugd/d24e6f_0b3382c712404520abc5900d020e8609.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efd7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEFD7 5364 bytes
SHA-256: 69280bfc089b151716e60fec4faa6753b66bba6cfea727342777b8075260a6d5
font_01_sfnt_off00010220.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10220 10608 bytes
SHA-256: 189b017e2f58afd163014589833c1e6072904c3920709b6a59de567899853f77

Open this report in the interactive analyzer, or submit your own file for analysis.