Malicious PDF — malware analysis report

Static analysis result for SHA-256 255c8624c4bedfca…

MALICIOUS

PDF

78.3 KB Created: 2021-02-24 06:00:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf7d8499881a02f9da5ab21a49fc2786 SHA-1: 1bdef7b826ea107236ad4cf1ade6665d71c2b908 SHA-256: 255c8624c4bedfcad3f5b212f377aad7fdd385f6612a51a7f5f7d9b33ae7d89b
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, with one identified as a potential phishing lure (`https://druttle.ru/strik?utm_term=junji+ito+painter`). The heuristic `PDF_SEO_DISPOSABLE_LINK_FARM` indicates a pattern of using disposable hosting for numerous PDF links, suggesting a coordinated effort to distribute malicious content or phish for credentials. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=junji+ito+painter
    • http://ig-copyrightnoticehelp.com/3725141214954k19.pdf
    • http://normal-id.com/disaster_recovery_report_templatetc50i.pdf
    • http://gonugotez.22web.org/kasatunebevenuforikubiw.pdf
    • https://cdn.sqhk.co/xafigozenusu/M7pKhfn/22937687756.pdf
    • https://cdn.sqhk.co/milibotobov/G1h4Shf/hill_climb_racing_glitch_2019.pdf
    • https://cdn.sqhk.co/zanotunuzi/cgfhj1q/pefimidunikok.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vamovatalugoja.epizy.com/rokarovagavitilamekopiwez.pdf
    • http://jiguluvosasibun.epizy.com/grief_guided_meditation.pdf
    • http://linexiziretewoj.rf.gd/asme_section_ix.pdf
    • http://nupituf.epizy.com/rerawediposivanape.pdf
    • https://s3.amazonaws.com/fajujiju/today_weather_report_in_goa.pdf
    • http://ragakinetepufub.epizy.com/vavuwovofukejizuvemaxa.pdf
    • http://bojefej.epizy.com/how_to_make_splat_hair_dye_last_longer.pdf
    • http://puteruwegadijem.epizy.com/hazard_analysis_critical_control_point_haccp.pdf
    • http://deravamosu.rf.gd/solekojujokazipulavadux.pdf
    • http://putiweg.epizy.com/72716351762.pdf
    • http://soxupagab.epizy.com/49685654540.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d3e7.bin
18692c79d80cedf04a3e4935e4961924eada4acb8d032f22850c3e2885e41958		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD3E7 10848 bytes
font_01_sfnt_off0000f7c9.bin
8093dc3c8371925d9d14b53b1b2cfcfb3bc021f21af6beecf07712f770b8c797		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7C9 4668 bytes
font_02_sfnt_off000107bb.bin
8c560a890362e14d481352348bcd25f63d7c9c43f28873549be4dbaa665bc76f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107BB 10796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.