Malicious PDF — malware analysis report

Static analysis result for SHA-256 1504b7ba4cdc96dd…

MALICIOUS

PDF

80.3 KB Created: 2021-03-15 14:40:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4bddfbe89c0f6c230088be294ace7cc1 SHA-1: e23b3454f86978bc44583e7145cef2316acb186a SHA-256: 1504b7ba4cdc96dd2709dad3a63ba95c20163b2d66fc5e23804e8c2251082a99
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is flagged as malicious by multiple heuristics, including a high-confidence ML classifier and ClamAV detection. It contains numerous external URIs, many hosted on disposable domains, suggesting a link farm or phishing infrastructure. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document likely instructs the user to open a password-protected archive, a common tactic to bypass gateway security. The presence of embedded URLs and the overall structure point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=schumacher+xp750c+manual
    • https://cdn-cms.f-static.net/uploads/4415767/normal_60466d7d0973d.pdf
    • https://static.s123-cdn-static.com/uploads/4472793/normal_5fce92eb9f183.pdf
    • https://cdn.sqhk.co/datawafag/jHSgiDw/endless_space_2_dlc_guide.pdf
    • http://lisolu.org/guguxafevofokewf70tz.pdf
    • https://cdn.sqhk.co/rebiguta/oeuimhj/quadcopter_fx_simulator_apk.pdf
    • https://cdn-cms.f-static.net/uploads/4403674/normal_6023c998b3407.pdf
    • https://cdn-cms.f-static.net/uploads/4463262/normal_601eccaf52087.pdf
    • http://dvertsoff.ru/xafejazebitenanetaagt6p.pdf
    • http://cethq.xyz/apple_airport_express_setup_passwordtbc85.pdf
    • http://getchambre.xyz/marketing_entry_level_jobs_nycd0njj.pdf
    • https://cdn-cms.f-static.net/uploads/4404990/normal_6041978a20305.pdf
    • https://cdn.sqhk.co/gusisitixinu/ijjdig2/53879094107.pdf
    • http://opensalon.xyz/batman_the_long_halloween_1krfiw.pdf
    • http://tehnotop.store/miya_bhai_song_2018_mr_jattv558x.pdf
    • http://esportzmlevent.com/1502057387k9vcu.pdf
    • http://xtina.online/35722856313tz8na.pdf
    • http://rubyshup.space/154169000814c93c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/lumixi/cintas_uniform_rental_cost.pdf
    • https://s3.amazonaws.com/dofufiri/gap_analysis_template_health.pdf
    • https://uploads.strikinglycdn.com/files/1bafd3ec-42d3-43e7-9302-17afd8357584/what_is_basic_process_control_system.pdf
    • https://s3.amazonaws.com/naxozelozude/printable_activity_sheets_for_4_year_olds.pdf
    • https://s3.amazonaws.com/miledu/30870167635.pdf
    • https://uploads.strikinglycdn.com/files/b21e4c9f-a958-4da3-a11e-15ef86726df7/how_to_choose_living_room_rug_color.pdf
    • https://s3.amazonaws.com/jujadodedaruxix/25387207642.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f810.bin
c148ac1330130a0853c7c61bf6758bdde03ef430315728278ddb77b905eadb01		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF810 5512 bytes
font_01_sfnt_off00010ab5.bin
888463252051a8a509df1381f000cdccbf7f7dabd4823f3afb8b8b45bf9d0572		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AB5 11940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.