Malicious PDF — malware analysis report

Static analysis result for SHA-256 44cf6b6d33b7a54c…

MALICIOUS

PDF

62.9 KB Created: 2021-02-08 02:51:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d3d0135750ed8962996f36ccaf3eb0cf SHA-1: 6fe91eed91c82ec631460b029a3b6afbcd34e30b SHA-256: 44cf6b6d33b7a54c2a292cbabc453d88fb694dfbcf30087f99910869e3434d26
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which point to disposable domains and are likely part of a link farm designed to redirect users. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically phishing. The presence of embedded URLs and the heuristic identifying it as a link farm suggest the primary goal is to redirect users to malicious sites, likely for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9745

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/123?utm_term=change+pc+password+windows+7
    • https://cdn.sqhk.co/vexedobasof/ghIgfhc/5674775556.pdf
    • http://about-central.com/document_analysis_the_mayflower_compliarl.pdf
    • http://ejinaya.com/23124202122qdgh3.pdf
    • https://static.s123-cdn-static.com/uploads/4385230/normal_5feeff86950a3.pdf
    • http://kakaxazirobolob.iblogger.org/76784833679.pdf
    • http://dihtyar.online/kekometipavijopeotsr9.pdf
    • https://cdn.sqhk.co/gigemuji/jGFByjd/jetpack_joyride_download_pc_windows_7.pdf
    • https://static.s123-cdn-static.com/uploads/4413865/normal_5ff4cebcb2e09.pdf
    • http://particulieres-societegenerale.best/kifozitixoluxofimoiunk3.pdf
    • http://keborejozupe.22web.org/86457621649.pdf
    • http://hydra.moscow/64165390381hiv6t.pdf
    • https://cdn-cms.f-static.net/uploads/4461216/normal_5fd0e32943691.pdf
    • https://cdn-cms.f-static.net/uploads/4421461/normal_60108fa15132e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://desakoda.rf.gd/84331861844.pdf
    • http://lemijafuw.epizy.com/slider_revolution_free_templates.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df89.bin
8bbfb97c4ba19dc5b63444c78a9dc31675b2e04dac9acc2fdc1926abac369e8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF89 5380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.