Malicious PDF — malware analysis report

Static analysis result for SHA-256 492e34b641ba9489…

MALICIOUS

PDF

84.9 KB Created: 2021-09-08 16:43:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: c1aae228b6c91b0a48bf814a39c679a0 SHA-1: b24c88bc115d33af619ef4e3e136a1b910822f46 SHA-256: 492e34b641ba94895ab1a006c5144f0e2e3ce3dc2a885ddc5738c88591162658
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded URLs, many of which point to potentially malicious domains, indicating a link farm or phishing lure. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a phishing or malware distribution attempt, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9966

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://flightshop.jp/images/blog/file/rurox.pdf
    • https://latework.cz/soubory/28756557234.pdf
    • http://abwmercury.com/uploads/files/gulijilo.pdf
    • http://www.cerel.eu/images/wyswig_images/file/nozadesemamamezi.pdf
    • https://milorem-service.ru/userfiles/file/35320931049.pdf
    • http://eastwoodfamily.net/userimages/38328566190.pdf
    • https://generalaudit.pl/eurostyl/photos/file/digevi.pdf
    • http://zygzak.eu/foto_dane/wysiwyg/File/13325360539.pdf
    • http://obrienbuilders.com/userfiles/file/xakora.pdf
    • http://www.hussco-steel.com/husscofiles/files/tovujabifuwagiwemotazile.pdf
    • http://www.cerel.eu/images/wyswig_images/file/tipeko.pdf
    • http://hamyarsanatco.com/ckfinder/userfiles/files/58908247528.pdf
    • http://cmuniontravel.com/userfiles/file/37962655829.pdf
    • http://s2group.pl/userfiles/file/59824815136.pdf
    • https://www.lenoir-elec.com/wp-content/plugins/super-forms/uploads/php/files/21q2lfgjpm559i1027p5qli0m2/56362175188.pdf
    • https://ises.ca/phpsites/vertical_living/uploads/file/15089433450.pdf
    • http://ccadl.com/files/20210907065523.pdf
    • https://khambenhxahoi115.com/images/files/44022644363.pdf
    • https://www.tzounakos-insurance.gr/ckfinder/userfiles/files/2459885697.pdf
    • http://diysmart.net/userfiles/file/dikimogazorasaj.pdf
    • http://szjwwj.com/userfiles/file///44132488425.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/A3Ryygt5BCM/uplcv?utm_term=ex200+exam+dumps+pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9d4.bin
cc2e2e2eb710b581bd982d3dcdb06941252310724b7ec129b54fd7cac044dc17		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9D4 17148 bytes
font_01_sfnt_off000116b1.bin
fbf854ec95abf4b0d9d74fc70331df13049ced50c69b6fb76aa322b8d5b738bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x116B1 10528 bytes
font_02_sfnt_off00012ec0.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12EC0 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.