Malicious PDF — malware analysis report

Static analysis result for SHA-256 43b1aa4912be59de…

MALICIOUS

PDF

68.8 KB Created: 2021-09-28 00:06:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 67f592c0309209ed6438ca871a5bf01f SHA-1: b87ea0d3357212dd43e88a7163332466d6bb31dd SHA-256: 43b1aa4912be59de795045e8929a2eb9380285fb7853a22824006389abfa5eaa
134 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains an embedded JavaScript stream, which is a common technique for delivering malicious payloads or redirecting users to phishing sites. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' and the large number of extracted URLs, many pointing to potentially disposable domains, further indicate a phishing or malicious redirection attempt. ClamAV also detected this file as 'Pdf.Phishing.Trojan'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.sensormaticltd.com/app/templates/js/ckfinder/userfiles/files/24912575367.pdf In PDF document text
    • https://kaimano.it/file/37122903699.pdfIn PDF document text
    • http://lncxjzxxw.com/upload_fck/file/2021-9-22/20210922160500854375.pdfIn PDF document text
    • http://yuhuimachinery.com/d/files/18002177435.pdfIn PDF document text
    • https://garnizone.com/userfiles/file/51773658.pdfIn PDF document text
    • https://bloomeng.com/uploads/9251164620.pdfIn PDF document text
    • http://boras-sjuharad.boj.se/uploads/userfiles/files/82398067973.pdfIn PDF document text
    • https://radekslodkiewicz.pl/files/file/48285933272.pdfIn PDF document text
    • http://mebelhotel.ru/userfiles/files/sesuforajumufereso.pdfIn PDF document text
    • https://www.funes.gob.ar/ckfinder/userfiles/files/44061825961.pdfIn PDF document text
    • https://currenwatch.myhost360.cn/file/upload/files/09-02-06-57-19-34.pdfIn PDF document text
    • http://studiomontironi.eu/userfiles/files/92684270324.pdfIn PDF document text
    • https://sabunwangi.com/contents/files/musobavin.pdfIn PDF document text
    • http://asbu.net/uploads/FCK_files/file/45805049234.pdfIn PDF document text
    • https://concurs-euclid.ro/upload/fck/gegatuwono.pdfIn PDF document text
    • http://www.immiflex.com/wp-content/plugins/formcraft/file-upload/server/content/files/1615231b00874c---7150762850.pdfIn PDF document text
    • http://2015.letnifestiwal.pl/ckfinder/userfiles/files/59458093688.pdfIn PDF document text
    • http://vaynhe.com/upload/files/60594975961.pdfIn PDF document text
    • http://taigesw.com/upload/files/zofikavulunar.pdfIn PDF document text
    • http://langeline.com/ckeditor/upload/files/gemofow.pdfIn PDF document text
    • http://www.thunderesp.com/ckfinder/ckfinder.htmlfiles/netoxesajatemigenorulef.pdfIn PDF document text
    • http://tt-ural.su/admin/ckfinder/userfiles/files/sapomizobonugaj.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=nova+launcher+fire+hd+8PDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ad45.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAD45 10656 bytes
SHA-256: 2625bc6b9d80bedd4985152e88f522bb826fdbb26f37c6055be538a2694bbd9a
font_01_sfnt_off0000c59a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC59A 15980 bytes
SHA-256: 4afb75c1bd161b323e9f1b462fbb05e5f9faa5a9446e620198ac612cc526fb4e
font_02_sfnt_off0000ee07.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE07 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.