Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f1620f549b30b1a…

MALICIOUS

PDF

78.9 KB Created: 2021-09-21 07:11:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: 6ecb06d246353f8816933991b8bc0059 SHA-1: 96c2b6f273380c9b1ef1ec850acfac213b7eb3d5 SHA-256: 2f1620f549b30b1aa99f245579df0607e76cf58737e49e717c516ed14b6da8ab
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous embedded URLs, many of which are part of a link farm hosted on disposable domains, indicating a strong intent to redirect users to malicious content. The presence of external URIs and the link farm heuristic suggest the primary goal is to lead users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/uplcv?utm_term=fifa+20+apk+data+obb PDF link annotation
    • http://tvcsoltau.de/userfiles/file/nodimirepatepotowutoma.pdfIn PDF document text
    • http://studiotecnicobonoli.com/userfiles/files/17866614555.pdfIn PDF document text
    • https://spcinternational.in/ckfinder/userfiles/files/49814806145.pdfIn PDF document text
    • http://preprod.app-nomads.com/ugecam/admin/ckfinder/userfiles/files/63789267466.pdfIn PDF document text
    • https://valubil.com/public/uploads/cms_file/cms_files/13837377958.pdfIn PDF document text
    • http://www.olympussverige.se/wp-content/plugins/super-forms/uploads/php/files/n7el14r0jajdillmb2mo1s8d01/82366969881.pdfIn PDF document text
    • https://elegune.net/files/galeria/files/79988646966.pdfIn PDF document text
    • https://concertwristband.com/resimler/files/38537543532.pdfIn PDF document text
    • https://augsburger-dartliga.de/uploads/file/28564084345.pdfIn PDF document text
    • https://marlschuz.com/userfiles/files/87949549681.pdfIn PDF document text
    • http://alles-vom-schreiner.de/userfiles/file/31805087567.pdfIn PDF document text
    • http://karinameal.com/imgdish/files/memebosamizu.pdfIn PDF document text
    • http://ranjitabiswas.com/userfiles/files/21974789383.pdfIn PDF document text
    • https://mi-stores.com/basketballtotaal/images/editor/file/29546350860.pdfIn PDF document text
    • http://chuabenhxuongkhop24h.com/images/files/xizuwaruguxamebapo.pdfIn PDF document text
    • http://doo-san.com/userfiles/file/20210908102746.pdfIn PDF document text
    • http://tageedesign.com/ssmpt/documents/file/kizijeg.pdfIn PDF document text
    • https://przyklejki.pl/userfiles/xojowulegor.pdfIn PDF document text
    • http://colleges-in-tamilnadu.com/FCKeditor/userfiles/file/wawaxikima.pdfIn PDF document text
    • http://denis-lefebvre-services.com/fichiers/file/21768817223.pdfIn PDF document text
    • http://www.hkrns.org.hk/ckfinder/userfiles/files/16765263331.pdfIn PDF document text
    • http://akcco.com/userData/board/file/vunaravijovinufitig.pdfIn PDF document text
    • http://yongqingtech.com/d/files/wixetozekerefijiredo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.comIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d4fc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD4FC 17344 bytes
SHA-256: fe4b51cb0bad425538d8481409955172ab4d9799d39de808bbf3885a52f9c232
font_01_sfnt_off000101ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101BA 10392 bytes
SHA-256: c95ea322a0642849eaea28f6057b0650e5b9b5cc8942d8cad1c6ab1f570e036e
font_02_sfnt_off00011923.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11923 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.