Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ee973f7d3e8ad94…

MALICIOUS

PDF

75.2 KB Created: 2021-03-19 14:12:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13
MD5: 11a2006a3463ae165f59d619c1a10007 SHA-1: 5f908b2d499ba75272f7cf99a5ae5bf15654ced3 SHA-256: 2ee973f7d3e8ad949ee29c700b7dfec1fd56c62106498bcfba748120f8b45668
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for Pdf.Phishing.Trojan and an ML classifier indicating maliciousness. The presence of numerous external URIs, some pointing to disposable hosting, suggests a link farm designed to redirect users to malicious content. The document body, though heavily obfuscated, contains metadata related to wkhtmltopdf and a date, indicating it was likely generated programmatically. The primary malicious activity appears to be the redirection of users to external URLs, likely to download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/award?keyword=human+anatomy+3rd+edition+mckinley+pdf PDF link annotation
    • https://cdn.sqhk.co/kikolibub/djiRYwC/crossy_road_castle_new_tower.pdfIn PDF document text
    • http://woxuruko.medianewsonline.com/2001_toyota_camry_maintenance_required_light.pdfIn PDF document text
    • http://juzufezike.mygamesonline.org/metabolisme_basal.pdfIn PDF document text
    • http://gijaninapumobe.sportsontheweb.net/52966870820.pdfIn PDF document text
    • http://jusukigib.sportsontheweb.net/77353445437.pdfIn PDF document text
    • https://cdn.sqhk.co/vujenibolo/2GJjRmp/video_maker_photo_with_song_online.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://raxegujanamefas.atwebpages.com/40123227530.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6b3f8959-a0f8-472b-971c-98a3cbd905e8/maytag_dishwasher_error_codes_e1_f9.pdfIn PDF document text
    • https://54179944-c6a3-49b3-9462-5d1939b6aff2.filesusr.com/ugd/49f5ef_3201de61f04740ac8421f92eff4eeb7c.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/232dfeed-440a-4cd4-8f4c-6f3e55658c32/dejujunazejafazagutozupej.pdfIn PDF document text
    • https://6b137298-3864-41c5-aaa3-11744000c3c2.filesusr.com/ugd/b916f4_41c1294ecef04ea783416ccab837af6a.pdf?index=trueIn PDF document text
    • https://a819be37-316e-4347-83bc-b067fb6953c8.filesusr.com/ugd/d5662a_8101eccf17264530a819b21c6df9d8a5.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/b4303246-3acc-48d0-a2de-5fe0e403285b/how_to_do_transcendental_meditation_step_by_step.pdfIn PDF document text
    • http://nokejufesuw.atwebpages.com/how_to_hard_reset_my_lg_phone.pdfIn PDF document text
    • https://3ecb585b-79b8-4502-8567-d9a17299c5c1.filesusr.com/ugd/4b874d_d293d9f3f9b2418b8bc21e93115e16bf.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0933a4ce-7abe-428e-842e-96dfb0648bc6/65447287136.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7f7b5310-2206-44a9-b213-719133eb8b12/what_is_the_meaning_of_stanza_in_a_poem.pdfIn PDF document text
    • https://efa91360-7c21-416c-9d60-3189e0beb381.filesusr.com/ugd/42ffc7_881ff4adcfc84d399ce8463ad6ba5034.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e7f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE7F1 5412 bytes
SHA-256: 3c02a0f936b402dc4bfad96e65d090e3b4c9f8170b2a1baaf4bb7f49bcdd5029
font_01_sfnt_off0000fa52.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA52 10988 bytes
SHA-256: 4e64c08b1bd07d24f295872085b461faf3bee5ce271ce273276057436c82d100

Open this report in the interactive analyzer, or submit your own file for analysis.