Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e1cdfc98a5eb55a…

MALICIOUS

PDF

79.5 KB Created: 2021-04-13 18:43:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 221a17bed0191378b0d79ab883e1951f SHA-1: d9a8c0ada874c8b4598d7b30de81b3aa9bd00f7f SHA-256: 1e1cdfc98a5eb55adfa2e329ffe81d235c9dafe2b811230068e215e5eb5a1963
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as Pdf.Phishing.Trojan. The document body and embedded URLs suggest a lure to download files disguised as drivers or manuals, likely leading to malware. The use of numerous disposable domains for hosting these files indicates a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=hp+photosmart+5510+driver+for+mac PDF link annotation
    • http://boribonabone.mypressonline.com/88911875446.pdfIn PDF document text
    • http://inter-kalinka.ru/993156043743nc3j.pdfIn PDF document text
    • http://stylecurtains.com/deja_vu_mp3_initial_dj9xc1.pdfIn PDF document text
    • http://fanuvazav.scienceontheweb.net/70490197246.pdfIn PDF document text
    • http://batmbatm.ru/dell_ultrasharp_u2515h_user_manual36mzn.pdfIn PDF document text
    • http://vanlit.ru/dell_inspiron_n5010_charger_costy6l0g.pdfIn PDF document text
    • http://shop-you.xyz/maksud_agama_islam4ueq7.pdfIn PDF document text
    • http://afracheat4.xyz/harry_potter_germany_2019a9uzp.pdfIn PDF document text
    • http://idealica-ufficiale.site/biological_science_1_2xonbq.pdfIn PDF document text
    • http://senteber.site/anhalteweg_reaktionsweg_formely8wb0.pdfIn PDF document text
    • http://wownatural.fun/maniwazai6xtf.pdfIn PDF document text
    • http://leopolds.space/velawumejetaviloxoo13.pdfIn PDF document text
    • http://xemakaze.mywebcommunity.org/rarajepavixugedexogi.pdfIn PDF document text
    • http://xtrading.buzz/livro_carcereiros9sw25.pdfIn PDF document text
    • http://madamzero.com/theological_foundations_jj_muellerji7gm.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/e2a4c2c4-7cb5-4299-8536-f0643c1329e8/6212973584.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/40ba71b2-8872-4219-a2dc-19d128118b8f/bujifuz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c5ae2e34-3cb1-47ca-bfa5-34232f91c0d0/daxagulededewefodobu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/848f44e4-52fb-4fdb-a2ad-23fb3f5170a7/gerozedesuwukafufazogol.pdfIn PDF document text
    • https://s3.amazonaws.com/sebunuzu/mebufilirogidi.pdfIn PDF document text
    • https://s3.amazonaws.com/gezejoputiwinu/biology_study_material_in_telugu.pdfIn PDF document text
    • http://nojikigor.myartsonline.com/texaluvubesajizifewejobat.pdfIn PDF document text
    • https://s3.amazonaws.com/tiduro/zojuwiwa.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6af.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6AF 5700 bytes
SHA-256: e6e0454b8cfb8bdf5b6808c3b518318fcb55193d9a451fe85fbd1347e8d0bdd2
font_01_sfnt_off000109fb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x109FB 10860 bytes
SHA-256: fa9f2fe58e7857149a176e966ea635637f10be7e4f4836385ef3ecdd4bad8863

Open this report in the interactive analyzer, or submit your own file for analysis.