Malicious PDF — malware analysis report

Static analysis result for SHA-256 0900a132ceb983c3…

MALICIOUS

PDF

73.4 KB Created: 2021-10-12 20:56:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23
MD5: edabd88fa9ea2b2ca340084899ada19e SHA-1: ffb75479c47f28ac3fe269fddb0c3d88fd0f1a7e SHA-256: 0900a132ceb983c36003a5d22e6353e4625a9654c084b9ebdf32e2c096382f60
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a 'Pdf.Phishing.Trojan' signature. It contains numerous embedded URLs, many pointing to disposable domains, and is flagged as a link farm. The document body is heavily obfuscated, but the presence of embedded URLs and the heuristic firings suggest an attempt to redirect users to malicious sites, likely for phishing or to download further payloads.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4683

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vatlieutaphu.com/upload/files/61595644859.pdf In PDF document text
    • https://insights3.com/wp-content/plugins/super-forms/uploads/php/files/beab5dac8e605c41049fe77bf268ff6a/89726566042.pdfIn PDF document text
    • http://rw-hse-businessconsulting.de/userfiles/file/1285132087.pdfIn PDF document text
    • http://gndpta.eu/news_objects/files/19886176131.pdfIn PDF document text
    • http://27derajat.com/assets/ckfinder/core/connector/php/uploads/files/78914988136.pdfIn PDF document text
    • https://oktatas-konyveles.hu/term_extr/files/matelixot.pdfIn PDF document text
    • https://krossi.ru/images/content/files/71488534899.pdfIn PDF document text
    • http://inspeq.eu/public/files/lirorikesinobuf.pdfIn PDF document text
    • http://vevo.keresztessyoptika.hu/elemek/file/gazum.pdfIn PDF document text
    • http://studioiulianella.it/userfiles/files/89498754786.pdfIn PDF document text
    • http://sanzmendia.com/userfiles/files/pulomotapimekaga.pdfIn PDF document text
    • http://mazdooradda.com/userfiles/file/80790668254.pdfIn PDF document text
    • http://epoxidice.ro/mm/file/kubepixawiboj.pdfIn PDF document text
    • http://thuonghieutoancau.vn/uploads/files/furojegu.pdfIn PDF document text
    • https://www.jdconstinc.com/ckfinder/userfiles/files/78320730557.pdfIn PDF document text
    • http://webs123.com/userfiles/file/49715884034.pdfIn PDF document text
    • https://buffinvestment.com/upload/ckfinder/files/kizobaxabunekatisali.pdfIn PDF document text
    • http://www.expo-hotel.com/english/wp-content/plugins/formcraft/file-upload/server/content/files/161420096983ad---fowoki.pdfIn PDF document text
    • https://kitchensofdiablo.com/upload/file/vofibofamejidupa.pdfIn PDF document text
    • http://www.reroofingbrisbaneqld.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1614a2f30d2f6d---gudusuwuwofotofalepawa.pdfIn PDF document text
    • http://sjatupornservices.com/file_media/file_image/file/golirag.pdfIn PDF document text
    • http://paoladebenedetti.eu/userfiles/files/mitezemufinumaguwevatet.pdfIn PDF document text
    • http://chaukitchen.com/uploads/files/fobematibijafesun.pdfIn PDF document text
    • http://lsmtrontractor.com/upfiles/file/20211010051113.pdfIn PDF document text
    • http://feedproxy.google.com/~r/MbOu/~3/BcFPVxLj4jw/uplcv?utm_term=eastern+and+western+perspective+of+positive+psychology+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c7ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC7AB 19792 bytes
SHA-256: 9872746d7b9e9aae2303ca8db9dfa0c56d668c3b9a944f6ddfddc18295f19fbd
font_01_sfnt_off0000fad9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFAD9 11148 bytes
SHA-256: 7f476cce9a8cb0236826a8b3781dad32fdf3c078abaa37aa4028511df50839f5

Open this report in the interactive analyzer, or submit your own file for analysis.