Malicious PDF — malware analysis report

Static analysis result for SHA-256 46cd0b392909ccc1…

MALICIOUS

PDF

69.0 KB Created: 2021-09-16 22:30:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: fdb8cfbb2249e4dda871bfac6ea08562 SHA-1: d56d93b2452455c2c575ed5745cb97b7a18bff7a SHA-256: 46cd0b392909ccc1b151049172ba6918937d6ed705e5dac22e7bb5ad28f3faca
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as malicious by ClamAV and exhibits characteristics of a phishing or malware distribution lure. It contains numerous links to external PDFs hosted on various domains, with a significant heuristic indicating a link farm on disposable hosting. One specific link, 'https://internationallanguagenavigators.com/media/63949622534.pdf', is flagged as a random URL, suggesting it's part of an automated distribution scheme.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4785

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://sunpower.lv/ckfinder/userfiles/files/robitalijit.pdf In PDF document text
    • http://zzfcw.com/file/fkimg/file/wuvupegitolajonuve.pdfIn PDF document text
    • http://keystoparadise.com/userfiles/files/wadomevoju.pdfIn PDF document text
    • https://www.onestopnaturalstore.ca/wp-content/plugins/super-forms/uploads/php/files/fk21rue8mo7118blvh8r1103gd/zobebomawolilagosakov.pdfIn PDF document text
    • http://kompletucetnictvi.cz/files/file/zatujoxofololobesanu.pdfIn PDF document text
    • http://www.smartusb.info/images/library/File/51091733418.pdfIn PDF document text
    • http://margheritango.it/userfiles/file/79194868214.pdfIn PDF document text
    • http://monikaknoblochova.com/userfiles/file/bixeket.pdfIn PDF document text
    • https://www.simcoerecovery.net/wp-content/plugins/super-forms/uploads/php/files/3n3hr2oqvq15t7cm8qr5n09cl2/98592615553.pdfIn PDF document text
    • http://viral-list-machine.com/ckfinder/userfiles/publics/files/zosakava.pdfIn PDF document text
    • https://heatingboiler.ca/fck_upload/file/18059305426.pdfIn PDF document text
    • http://uniquehotelsolutions.com/files/others/nofosivegunegijereja.pdfIn PDF document text
    • https://holcom-wd.holcom.vn/webroot/img/files/nujibibe.pdfIn PDF document text
    • http://sparkpro.lv/content/file/notarulugavololiwibatis.pdfIn PDF document text
    • http://www.cafeinca.com/img/public/contenido/file/60332660362.pdfIn PDF document text
    • http://yepuco.com/uploads/files/lopifu.pdfIn PDF document text
    • https://himalmanpower.com/ckfinder/userfiles/files/20071632191.pdfIn PDF document text
    • http://nprofit.hk/userfiles/29076414238.pdfIn PDF document text
    • http://kcpsystem.com/userData/board/file/22807528465.pdfIn PDF document text
    • https://webaprint.be/img/file/ruwoxelilijaju.pdfIn PDF document text
    • https://vongtaytramhuong.vn/upload/files/95975409038.pdfIn PDF document text
    • https://indoshaolinkungfusociety.com/ckfinder/userfiles/files/neredesu.pdfIn PDF document text
    • https://internationallanguagenavigators.com/media/63949622534.pdfIn PDF document text
    • https://shriramsteels.in/public/ckfinder/userfiles/files/99648565206.pdfIn PDF document text
    • https://safarekhoob.ir/basefile/safarekhoobir/files/kimubisi.pdfIn PDF document text
    • http://baohanhranghm.com/upload/img/files/8673303652.pdfIn PDF document text
    • http://xinshifm.com/userfiles/file/mimit.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/LPIa9PGmDLg/uplcv?utm_term=android+cihaz+y%C3%B6neticisiPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d8d7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD8D7 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1