Malicious PDF — malware analysis report

Static analysis result for SHA-256 390c990340d96acd…

MALICIOUS

PDF

181.1 KB Created: 2021-03-26 08:45:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10
MD5: 60fb3b5c01016030ae0c5c71ba51d5b8 SHA-1: ef9859e0f76a7cdc94187f746fa6bd53a01c822c SHA-256: 390c990340d96acd24a7693e6e7e891a69a00c592c169022a5b177259cbfd794
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs pointing to disposable domains and link farms, a common tactic for phishing or distributing further malware. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly indicates malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URIs suggest an attempt to redirect users to malicious sites, likely as part of a phishing campaign.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3507

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=south+asia+political+map+pdf PDF link annotation
    • https://xevefoworux.weebly.com/uploads/1/3/1/3/131380592/671357b167c.pdfIn PDF document text
    • http://penageli.getenjoyment.net/rojozijopadasewilelem.pdfIn PDF document text
    • http://xafawotilujos.mypressonline.com/92761171592.pdfIn PDF document text
    • http://milesatel.mygamesonline.org/calendar_ortodox_2020_download.pdfIn PDF document text
    • https://cdn.sqhk.co/goronikel/eibghgg/gimagupu.pdfIn PDF document text
    • http://nageramuvepom.mywebcommunity.org/the_office_scripts_us.pdfIn PDF document text
    • https://pudeputuxokaj.weebly.com/uploads/1/3/5/9/135968230/4693483.pdfIn PDF document text
    • http://prodson.space/bohra_topi_designfzyk4.pdfIn PDF document text
    • https://cdn.sqhk.co/fovuxugo/igd7T0i/84851728354.pdfIn PDF document text
    • http://kolagozisil.mywebcommunity.org/all_she_left_behind_book_review.pdfIn PDF document text
    • https://cdn.sqhk.co/bibikodazit/l14qohh/eazylene_topup_recharge_products.pdfIn PDF document text
    • http://cryogen.me/sesatusalebea6bnl.pdfIn PDF document text
    • https://cdn.sqhk.co/letarezetap/CtjdgtM/fast_money_halftime_report_cnbc_fix.pdfIn PDF document text
    • http://pebifakonek.sportsontheweb.net/sujet_brevet_physique_chimie_2020_pondichery.pdfIn PDF document text
    • http://spencermcman.us/32418083924lt69e.pdfIn PDF document text
    • https://tafibukazun.weebly.com/uploads/1/3/5/4/135400045/xaxejixutiludu-xebofaram-tilaxezusoj.pdfIn PDF document text
    • http://gagarinski.su/99368938164bksi5.pdfIn PDF document text
    • http://carinsusa.info/spectrum_math_workbook_grade_8_free92cvz.pdfIn PDF document text
    • http://tegotapiw.scienceontheweb.net/28368578425.pdfIn PDF document text
    • https://cdn.sqhk.co/mukibusu/cgibhbk/10205334433.pdfIn PDF document text
    • https://zoxiniguve.weebly.com/uploads/1/3/4/5/134584112/menegugoveporekegit.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://wadoromutisagar.myartsonline.com/84730096754.pdfIn PDF document text
    • http://zuputes.atwebpages.com/19534425817.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00026a82.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26A82 5060 bytes
SHA-256: b0d0914e08b990e482aaf31919242cf13ed9285229e22343bc1296473ed2b5b5
font_01_sfnt_off00027bb6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27BB6 2196 bytes
SHA-256: 89ee13d965f0d17a8821df9dea7c8d0d7dfb913388888ed0e5338c4e4b275a29
font_02_sfnt_off00028548.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x28548 4396 bytes
SHA-256: df7106cc0f4db3dec42bf0f4606367689b1894400cfb9c11d60aee318edaa843
font_03_sfnt_off0002932c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2932C 2800 bytes
SHA-256: 1fe8b5a92c166e512656d86ad50560a9ebd38fe4dbee5671ff8f7d8424607e38
font_04_sfnt_off00029dd9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x29DD9 14592 bytes
SHA-256: f12584064b6fb1157ef87858d08916bde27abec6819da45d1552e5fda5b28e5e