Malicious PDF — malware analysis report

Static analysis result for SHA-256 0dcad9fabee9a6ac…

MALICIOUS

PDF

373.9 KB Created: 2021-09-25 04:23:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 63ed6cf7bb4bf982bbce54ab6d23ef9e SHA-1: b352dbb4a0cd8ae0c7e664a3e352f1177aa5014d SHA-256: 0dcad9fabee9a6acda4e16d4077a59ade933ba4faf8354bbc32905e5d4483981
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV and exhibits characteristics of a phishing lure due to its structure as a link farm. The PDF contains numerous embedded URLs pointing to various domains, suggesting an attempt to redirect users to potentially malicious sites. While no specific script was directly analyzed for malicious intent, the overall structure and the presence of multiple unknown URLs strongly indicate a phishing attack.

Machine Learning

  • Nyx PDF Classifier clean score 0.0230

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.clinicaepilepsia.cl/ckfinder/userfiles/files/57701721309.pdf In PDF document text
    • http://allgeology.ru/ckfinder/userfiles/files/95992278428.pdfIn PDF document text
    • http://gibisch.org/files/files/pekanukukuzoxutijelitapu.pdfIn PDF document text
    • http://cellesekorea.com/ckupload/files/95887508749.pdfIn PDF document text
    • https://stcatherine.ac.ug/wp-content/plugins/formcraft/file-upload/server/content/files/161428969a06e7---pazajo.pdfIn PDF document text
    • https://sanipacific.com/attachment/file/difoluveromosiw.pdfIn PDF document text
    • http://apsons.eu/files/file/witugilogabifamuraf.pdfIn PDF document text
    • http://dianacb.cz/userfiles/file/mizawopore.pdfIn PDF document text
    • http://www.shjkyq.com/up_files/FCK/file/94854316869.pdfIn PDF document text
    • https://doellefjelde-mussemarked.dk/images/newsmail/file/18372234915.pdfIn PDF document text
    • https://www.caissedesecolesdu5eme.fr/backoffice/ckfinder/userfiles/files/86111762789.pdfIn PDF document text
    • http://sino-web.net/filespath/files/20210909151806.pdfIn PDF document text
    • http://lightningriskassessment.com/ci/userfiles/files/23403113060.pdfIn PDF document text
    • http://tottazo.com/userfiles/file/25694512357.pdfIn PDF document text
    • http://devison-matras.com/upload/file/89540462660.pdfIn PDF document text
    • http://myflora888.com/ck_files/files/26013730413.pdfIn PDF document text
    • http://watch62.ru/files/files/26009276283.pdfIn PDF document text
    • https://sandp-engineering.com/ckfinder/userfiles/files/8374361023.pdfIn PDF document text
    • http://miet-boot.ch/images/uploadedimages/file/66795238356.pdfIn PDF document text
    • http://ahkjt.com/upfile/file/39375075797.pdfIn PDF document text
    • http://bk-plus.at/userfiles/files/pixenejesavunetokekok.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/A3Ryygt5BCM/uplcv?utm_term=%E0%B9%80%E0%B8%9A+%E0%B8%A5+%E0%B8%A5%E0%B9%88%E0%B8%B2+%E0%B8%A3%E0%B8%B2+%E0%B8%93%E0%B8%B5PDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c584.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC584 16872 bytes
SHA-256: f862f0a4d6555910a42bb8d13c036fce891db92ffb1630dd5d5a95338f5bffbf
font_01_sfnt_off0000f1c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF1C2 8984 bytes
SHA-256: 1155eef8b03fb48db8196c62fe92ea0367c3129ef5e52290f3da045cb9446085
font_02_sfnt_off000103f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x103F2 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
polyglot_child_pdf_off00012ae2.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x12AE2 306328 bytes
SHA-256: cb09ad00b88193a547b51efac6279c913ca54bde5c7225d25e04a13d792bad71
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: unlikely
polyglot_child_pdf_off000255c4.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x255C4 229814 bytes
SHA-256: 239aae89f0659b13350d188d10b0d2ccf75a561858747ace4faee86cae4af82d
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: unlikely
polyglot_child_pdf_off000380a6.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x380A6 153300 bytes
SHA-256: 2bb7bc734736639d691de2f3665b780ceccbe1d520ffe37efd4bbdecb056b778
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: unlikely
polyglot_child_pdf_off0004ab88.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x4AB88 76786 bytes
SHA-256: 0ce44aaf45b4d00af76e7bf64b63bd4e68ed31f6d509b44f580ced99bcf1399e
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.