Malicious PDF — malware analysis report

Static analysis result for SHA-256 17ce6d807dd7ca57…

MALICIOUS

PDF

76.4 KB Created: 2021-04-08 23:59:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8cad91e4b1ebad3da5e941fcf4745c41 SHA-1: 5085d3d8bf1d16f1e7ad2c5ff511efbfc244eb60 SHA-256: 17ce6d807dd7ca57ee1f09355c3cc1e68f443b3a27c3f8e0a4c88eef348e3659
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, many pointing to disposable domains, and one specifically uses 'xfinity+xfi+app+store' in its UTM parameters, strongly suggesting a phishing lure. The ML classifier and ClamAV detection confirm the malicious nature of the file. While no scripts were explicitly extracted, the PDF structure and URL patterns are indicative of a phishing campaign designed to trick users into visiting malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=xfinity+xfi+app+store
    • http://wusodopepufex.66ghz.com/lejowulolukazoxokafoz.pdf
    • http://sukotovomiregat.22web.org/contrato_de_confidencialidad_gratis.pdf
    • http://sifasawiseziwi.iblogger.org/98453215323.pdf
    • http://rozujed.sportsontheweb.net/metallica_nothing_else_matters_lyrics.pdf
    • http://akillidestekbasvuruformu.online/89981379525w2f92.pdf
    • http://sagedix.medianewsonline.com/tisafenov.pdf
    • http://roworesezakor.iblogger.org/fujalesumojakitulofawama.pdf
    • http://vsedlyatebya.xyz/bootable_software_for_windows_7fryjn.pdf
    • http://biwadevebudorif.22web.org/18030276038.pdf
    • http://3bki.ru/sports_event_management_systemvtw6i.pdf
    • http://fovijivil.iblogger.org/ferojitajiwako.pdf
    • http://wusokamojifel.scienceontheweb.net/wazozonoxivora.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://rewezaxow.epizy.com/rikalaxuwosuborezutaxof.pdf
    • http://xefiruluxom.rf.gd/advanced_aerodynamics.pdf
    • http://butozijiko.epizy.com/46922271228.pdf
    • http://difugarulid.epizy.com/36593905437.pdf
    • http://dopafedoxafedar.rf.gd/clinical_psychology_journals.pdf
    • https://uploads.strikinglycdn.com/files/d0a56dcc-d0b5-49e6-9a38-1ca48ba7e8d4/xuzojidigosume.pdf
    • http://bosirizowu.rf.gd/64064808067.pdf
    • https://uploads.strikinglycdn.com/files/70c4099b-1082-4627-9839-067e6d3dd95b/widokiga.pdf
    • http://worubag.epizy.com/koxom.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee73.bin
5313468aa2d158e6d1bdf8b4835350b143cabd45c7fe864847bc1f5c57caa5c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE73 5008 bytes
font_01_sfnt_off0000ff99.bin
05a4c7ffc801b1131ba3a32638f143df955a6416b4f0ad3af927019a37d8a0c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF99 10856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.