Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a9ad333bb807387…

MALICIOUS

PDF

116.5 KB Created: 2021-04-22 13:09:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e35d18a0dd69692b699a2564cdfe08d6 SHA-1: 939dfe7b28d5108410792910a598d73f5cbb0c9e SHA-256: 1a9ad333bb807387f549cf44189ee85d210f16fb9f2aed1521750f22ddf27ee6
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains a large number of embedded URLs, many pointing to disposable domains, suggesting a link farm designed to redirect users to malicious sites. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and a date, along with a URL that appears to be a lure for 'Ibn Arabi quotes in Hindi'. No scripts were extracted, but the PDF structure and numerous external links strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=ibn+arabi+quotes+in+hindi
    • https://rugibabolunape.weebly.com/uploads/1/3/1/4/131454120/perulisigokex.pdf
    • http://wowovamofuzo.sportsontheweb.net/sampoorna_bhagavatam_in_telugu.pdf
    • https://cdn.sqhk.co/lutadamafe/jfoflja/audio_setup_wizard_adobe_connect.pdf
    • http://sokixatov.mywebcommunity.org/water_jet_machining_working_principle.pdf
    • http://mozaduz.mygamesonline.org/celta_course_book_free_download.pdf
    • https://cdn.sqhk.co/letarezetap/Goge6ib/lean_bulk_workout_plan.pdf
    • https://waxojokizubow.weebly.com/uploads/1/3/4/4/134482073/9701481.pdf
    • http://punavuvipufov.sportsontheweb.net/toro_powerlite_98cc.pdf
    • https://cdn.sqhk.co/nobutowug/9Em6Mgh/kikugixuxelepixolosupi.pdf
    • https://wozijasobinela.weebly.com/uploads/1/3/4/4/134445001/3af42.pdf
    • https://cdn.sqhk.co/disumuneriva/hUrOWwu/6818443850.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d1a36ed5-c4d2-4836-be66-a683846b02e6/7776680425.pdf
    • https://69a21580-3c80-4f81-8097-1ec0bc18215d.filesusr.com/ugd/bd7df1_f2abbd2997af488fb7e4234d4cd32ce9.pdf?index=true
    • https://84d51d8d-5932-465a-b044-5d36dace581c.filesusr.com/ugd/98e2de_3a10a127d3654fd5812317c0d220265c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4eb341cd-de52-4939-84a8-52d55549049e/kivolakite.pdf
    • https://uploads.strikinglycdn.com/files/03d5c45e-07e1-4178-8181-abd1148147ed/miss_peregrine_home_for_peculiar_full_movie_download_in_telugu_720p.pdf
    • https://uploads.strikinglycdn.com/files/a23b420e-24d6-4a0a-a1bc-4b3fee034a2e/84510603950.pdf
    • https://uploads.strikinglycdn.com/files/9e847a5b-8d85-4d7e-8b0f-fb164ef9b53d/futojatuzobob.pdf
    • http://werapitagu.rf.gd/average_speed_in_usa.pdf
    • https://b6d28218-96ba-4f98-b9c1-0d78b4e6fe84.filesusr.com/ugd/47aa88_34c5839b9eee458893191d9236cd1e8c.pdf?index=true
    • https://6438efa2-cbc3-4905-bec7-85cdafd94a34.filesusr.com/ugd/d1cf8b_3e8b2bbae17e4c3e9bca490f9256023f.pdf?index=true
    • https://d05b2b94-0af3-401c-a6ef-75d00d0b58ae.filesusr.com/ugd/3bca44_3006ce1a7e434a2e90f9d03c20a77cc0.pdf?index=true
    • http://zevesijuduma.atwebpages.com/67384386540.pdf
    • http://fawibamawepud.rf.gd/sinusite_tratamento_pediatria.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00019ad7.bin
8d7a1bc5464ee0c647edeecba887a7adf60cd4e6786fe96471bdd3f821fd63f0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x19AD7 23728 bytes
font_00_sfnt_off00015bd1.bin
e167cfafe2cdca24e5abab9bf650a4558664164c4c20a2ae64bcfa7ebcb62aa3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15BD1 5084 bytes
font_01_sfnt_off00016d0c.bin
fac67b498e40f569a66c4cf379998eb7adac9a84f9613e7dd31209f794827078		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16D0C 15708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.