Malicious PDF — malware analysis report

Static analysis result for SHA-256 2455468c9b5059c4…

MALICIOUS

PDF

68.0 KB Created: 2021-09-17 02:48:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 1fa4b8cae90df4a8b5e13bbe95dc9e1e SHA-1: 228cbfecf7ecde78309835f8370bb65a106bc6e1 SHA-256: 2455468c9b5059c4312567b36123ffb6c923c5f2be342fa0a24413458566c4db
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, which is a common technique for malicious PDFs to execute code. The embedded JavaScript likely redirects the user to external URLs, as indicated by the PDF_URI and EMBEDDED_URL heuristics. One of the identified URLs, http://mirutte.com/newsfiles/files/34505764167.pdf, is part of a link farm, suggesting a phishing or scam attempt. The ClamAV detection further confirms the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3555

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mirutte.com/newsfiles/files/34505764167.pdf In PDF document text
    • http://boilerservis.ru/uploads/files/rawuwoxuturexudijeb.pdfIn PDF document text
    • http://kryotherapie.net/neu/userfiles/file/ruluk.pdfIn PDF document text
    • https://bhopalliteraturefestival.com/mpsdp/uploads/files/1285934987.pdfIn PDF document text
    • https://bold-iot.com/uploads/files/202109111718412677.pdfIn PDF document text
    • https://fruitssupplier.com/app/webroot/img/files/82017443076.pdfIn PDF document text
    • http://hidramaco.com/files/files/27429420194.pdfIn PDF document text
    • http://turnwealthy.com/ckfinder/userfiles/files/fenegogiwilomut.pdfIn PDF document text
    • http://archpiudue.com/userfiles/files/jezorodisumizugi.pdfIn PDF document text
    • http://mail-ex.net/userfiles/file/57166702035.pdfIn PDF document text
    • http://hoangminhsaigon.vn/@dmin/js/ckfinder/userfiles/files/bukakilorazavetirix.pdfIn PDF document text
    • https://suemsas.com/wp-content/plugins/super-forms/uploads/php/files/embl54bcal2l5g7f95dpn08kq2/toxuxegeseferugezazax.pdfIn PDF document text
    • http://tvoirostov.ru/ckfinder/userfiles/files/48752544552.pdfIn PDF document text
    • http://sage-chem.com/image/files/20210913_221911.pdfIn PDF document text
    • https://helicopterleasingservices.com/userfiles/files/niwopavovakubu.pdfIn PDF document text
    • https://xnkvinatimex.com/uploads/files/72670155772.pdfIn PDF document text
    • http://www.coverseg.com/uploads/ckfinder/files/zowewapijegifiwomuzibaju.pdfIn PDF document text
    • http://cu-mbc.com/ckfinder/userfiles/files/11699961190.pdfIn PDF document text
    • http://flemingdecal.com/uploads/assets/file/befuzokojefawazos.pdfIn PDF document text
    • http://helloslow.com/data/userfiles/files/mebomadelifodipeluxopimol.pdfIn PDF document text
    • http://hsaltsj.com/uploads/files/60206787455.pdfIn PDF document text
    • https://tiemhoahaibara.com/data/dulieu/files/xokepadifudinagokemes.pdfIn PDF document text
    • http://www.yevres.fr/ckfinder/userfiles/files/sobazonudepisezanonuvezez.pdfIn PDF document text
    • https://mb-classic-service.de/userfiles/file/jusekovilujuxedetisow.pdfIn PDF document text
    • https://akrmedia.no/ckfinder/userfiles/files/21741177268.pdfIn PDF document text
    • https://sacc-la-chaux-de-fonds.ch/fichiers/file/kipipazixorenaxewezajugar.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=porque+no+soy+cristiano+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bf2a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBF2A 10928 bytes
SHA-256: 5930e18c667f61b6df1a4caa12795ec147824675832b61373319c3fe0671f768
font_01_sfnt_off0000d880.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD880 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1