Malicious PDF — malware analysis report

Static analysis result for SHA-256 2379eb18f8ad9fa8…

MALICIOUS

PDF

71.2 KB Created: 2020-12-17 17:13:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-12
MD5: aa42126afdf42157d5d5812cd65486c9 SHA-1: f34bccbb330c17d4a316e152831bc22bba4c3072 SHA-256: 2379eb18f8ad9fa8e2e8ed2a1cb352f02c36728ec225975405a2e04b9ac6d643
224 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1204.001 Malicious Link

The sample is a PDF file flagged by multiple heuristics and ML classifiers as malicious, specifically for brand-impersonation credential phishing. It contains an embedded URL that leads to a redirector, which in turn points to a PDF hosted on weebly.com, likely a phishing page. The document body, though heavily obfuscated, contains keywords related to urgency and brand impersonation, supporting the phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://tazeviguso.weebly.com/uploads/1/3/4/3/134339516/dofelexamudo.pdf.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/123?utm_term=does+tinder+work+on+ipad PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4390663/normal_5fbb3074afa64.pdfIn PDF document text
    • https://tazeviguso.weebly.com/uploads/1/3/4/3/134339516/dofelexamudo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366010/normal_5f86ffb65dd53.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4389794/normal_5f935eb925716.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://static1.squarespace.com/static/5fc0f05df9866f3fd2d48fd4/t/5fd17598ad61ab5831802f89/1607562648923/hit_the_button_bingo_times_table.pdfIn PDF document text
    • https://s3.amazonaws.com/mizeteb/29723504676.pdfIn PDF document text
    • https://s3.amazonaws.com/safenalavojuwu/sample_cv_templates_free_word_document.pdfIn PDF document text
    • https://s3.amazonaws.com/jidagafinuxesu/85998615950.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc522e660f2895dc10348e3/t/5fcec66569d6d06d552c9a5f/1607386728385/jegowafijibev.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc7a8d51c59a74bd991d95d/t/5fcc210374a40730fb8902df/1607213315623/rujirogepujo.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc11cf00a2757459be424fe/t/5fc311c22dd96f591853617e/1606619586973/90803684896.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf6a03e6d49a06bb8a53c6/1606380039490/evangelio_de_felipe_gnosis.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc1cfa22cf09257bd7273ee/t/5fceae1799b6a7582b4c175e/1607380503511/81061205462.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da52.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDA52 5076 bytes
SHA-256: 5c7865edacb6782ab8fa7af8d9fdc4764d8c09e9c34ef00c14c152af5f207bc0
font_01_sfnt_off0000ebbe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBBE 10560 bytes
SHA-256: 9140f00e0c6ba48a1349860566ccab5ffdad66737e7a2da279dbfb441ea88c75

Open this report in the interactive analyzer, or submit your own file for analysis.