Malicious PDF — malware analysis report

Static analysis result for SHA-256 490ba2b681aaf37a…

MALICIOUS

PDF

135.9 KB Created: 2021-06-06 11:21:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ef43815a345fb2f088b65ca21a79732d SHA-1: c3ba243773c5fd2cd668822099dc622c8023b4a3 SHA-256: 490ba2b681aaf37acb1a3fc7b88354baaf5b2ad3ebd9f02a9293b815352bb112
206 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of external links, many hosted on disposable domains, indicative of a link farm or SEO abuse. The presence of a callback lure heuristic suggests a phishing or scam attempt. ClamAV detection and ML classification confirm the malicious nature of the document, likely serving as a dropper or redirector to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/pbw?utm_term=java+8+older+version+download
    • https://zedowami.weebly.com/uploads/1/3/1/6/131637063/a117b284.pdf
    • https://zopatiselinijil.weebly.com/uploads/1/3/4/7/134758238/ritavuvew.pdf
    • https://cdn-cms.f-static.net/uploads/4492915/normal_605cafad76b98.pdf
    • https://cdn-cms.f-static.net/uploads/4424341/normal_605b9304c6152.pdf
    • https://rofekituluz.weebly.com/uploads/1/3/2/3/132303072/4888354.pdf
    • https://cdn-cms.f-static.net/uploads/4419211/normal_6051330685aeb.pdf
    • https://webebusili.weebly.com/uploads/1/3/0/9/130969565/f631887c46bd27.pdf
    • https://pozukelemiku.weebly.com/uploads/1/3/2/6/132682282/sumivisorilep_siwabiraluboz.pdf
    • https://cdn-cms.f-static.net/uploads/4367646/normal_601d852d2b4ca.pdf
    • https://tepupusaf.weebly.com/uploads/1/3/4/5/134585026/9983995.pdf
    • https://gavibokilixebil.weebly.com/uploads/1/3/4/7/134716725/8407095.pdf
    • https://nivovugi.weebly.com/uploads/1/3/4/6/134636265/2b887f5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://lajaweridadi.pbworks.com/f/how_to_unlock_trucks_on_monster_jam_steel_titans.pdf
    • http://barumena.pbworks.com/w/file/fetch/144458523/kadef.pdf
    • http://pokuwatosat.pbworks.com/w/file/fetch/144433263/21482952525.pdf
    • http://zezupagijene.pbworks.com/w/file/fetch/144614247/garelanidele.pdf
    • http://nagomax.pbworks.com/f/maariful_quran_english_volume_7.pdf
    • http://foxobekizax.pbworks.com/f/16497428004.pdf
    • http://rasovuxosew.pbworks.com/f/dance_moms_season_7_episode_7_123movies.pdf
    • http://popuwepux.pbworks.com/w/file/fetch/144648168/nefapivemaxixodurek.pdf
    • http://pinurakus.pbworks.com/w/file/fetch/144548940/37498693967.pdf
    • http://furalagaposu.pbworks.com/w/file/fetch/144712944/what_has_a_higher_boiling_point_decane_or_pentane.pdf
    • http://kigemulu.pbworks.com/f/ma_raineys_black_bottom_script.pdf
    • http://lopofemusun.pbworks.com/w/file/fetch/144518772/nizobogepaxijaru.pdf
    • http://redejok.pbworks.com/w/file/fetch/144498828/wagivoziwaneved.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001d5e6.bin
11abe5b9ecb971f8742f08a22c6e785819ba10c3126cef7a118b3c8d072c34ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D5E6 5156 bytes
font_01_sfnt_off0001e78e.bin
139142254985a5c46218ebb4b959217e38bfdf479aee82e5c2eb23737313b2f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E78E 12380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.