Malicious PDF — malware analysis report

Static analysis result for SHA-256 289f424a9be792ed…

MALICIOUS

PDF

80.3 KB Created: 2021-06-02 12:32:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2778fb991a544880319e5afb35bb70df SHA-1: 7d1dd241f28f50c88c5cadbaf480d55a2ee1aa0c SHA-256: 289f424a9be792ed781b8843c7eeed79b8ee7eb8d2d23ee12a5f03ec86b4e38f
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded URLs and is flagged by ClamAV as 'Pdf.Phishing.Trojan'. The document body, though partially obfuscated, suggests a lure related to car seat age limits, directing users to a URL that appears to be a search result. The presence of numerous links and disposable hosting, as indicated by the PDF_SEO_DISPOSABLE_LINK_FARM heuristic, further supports a phishing or malicious redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/pbw?utm_term=what+is+the+age+limit+for+infant+car+seat
    • https://static.s123-cdn-static.com/uploads/4495413/normal_5fe2cc4013c98.pdf
    • https://static.s123-cdn-static.com/uploads/4374198/normal_5feb452499ec3.pdf
    • https://cdn-cms.f-static.net/uploads/4446286/normal_5fe657293ed3c.pdf
    • https://cdn-cms.f-static.net/uploads/4456998/normal_6048f3a376385.pdf
    • https://static.s123-cdn-static.com/uploads/4417023/normal_60098626be0cd.pdf
    • https://cdn-cms.f-static.net/uploads/4454179/normal_6011c2a6ce42f.pdf
    • https://cdn-cms.f-static.net/uploads/4428054/normal_5fe66e885b26a.pdf
    • https://cdn-cms.f-static.net/uploads/4496165/normal_602e44d7eb13e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://sofutikajen.pbworks.com/f/29876851274.pdf
    • http://pokatufaxi.pbworks.com/f/bebodojares.pdf
    • http://vafobotigef.pbworks.com/w/file/fetch/144499113/nepali_old_movie_song_bansuri.pdf
    • http://bovozajezo.pbworks.com/w/file/fetch/144440238/novid.pdf
    • http://liwuvedesisu.pbworks.com/f/iphone_xr_sim_card_tray_replacement_near_me.pdf
    • http://zigunef.pbworks.com/f/tegufowisaxunafafu.pdf
    • http://lekuzax.pbworks.com/w/file/fetch/144418743/romudipakiximakosari.pdf
    • https://uploads.strikinglycdn.com/files/3adf0e43-9dcd-40ee-b625-5862381c66cb/how_to_draw_digital_portrait_in_photoshop.pdf
    • http://fatakalewene.pbworks.com/f/what_is_the_boiling_point_of_element_113.pdf
    • https://uploads.strikinglycdn.com/files/040bb10d-9a63-43d0-a84e-3974403d3eaf/can_you_make_your_own_flavored_soda_stream.pdf
    • http://mizunebapod.pbworks.com/f/new_headway_advanced_teachers_book_fourth_edition.pdf
    • http://viluxese.pbworks.com/f/rovokutonuzog.pdf
    • https://uploads.strikinglycdn.com/files/379407ac-86ab-478f-b4bd-8abacb15708a/60790639116.pdf
    • https://uploads.strikinglycdn.com/files/5ccd0eee-6b64-4e95-98d8-571f91d8929f/who_sells_nixon_watches.pdf
    • https://uploads.strikinglycdn.com/files/d7d8ed6b-9271-4b76-a633-f6ba5cb30188/xogosidevelilomek.pdf
    • http://sufizilofab.pbworks.com/w/file/fetch/144499767/suwolomera.pdf
    • http://vafobotigef.pbworks.com/f/bell_hooks_feminist_theory_from_margin_to_center_chapter_summary.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef1f.bin
6f27ff3a2c3e9943df9d8f10c43480e3b8b28816d5c59458a86246d969c67e9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF1F 5096 bytes
font_01_sfnt_off00010050.bin
1524a0ecdbc93042da3a7e2ff6fd40c26ecc7b545c15e59338a8a6f4df2a3eb7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10050 10704 bytes
font_02_sfnt_off000124ca.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x124CA 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.