Malicious PDF — malware analysis report

Static analysis result for SHA-256 51448ca3baebbadb…

MALICIOUS

PDF

83.3 KB Created: 2021-04-06 23:44:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-23
MD5: bbed2691d6d1a42b4ecacdf8e1339f63 SHA-1: 3dc911cc8b88d7d5bf9e0c4308c9b2dd1f685c6f SHA-256: 51448ca3baebbadba621f6067d721efa3c573d10b4ec8ebf7860280eb7759bb2
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier. It contains suspicious links, including one that is invisible and points to a domain associated with lures. The document body is heavily obfuscated, but the presence of external URIs and the overall heuristic firings suggest an attempt to redirect the user to a malicious site, likely for phishing or to download further payloads. No scripts were extracted, but the PDF structure itself is being leveraged for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=gaia+gps+android+apk PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4383452/normal_6053266f5365e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4419452/normal_600252e61472b.pdfIn PDF document text
    • http://ig-supportcenter.xyz/how_to_record_minutes_of_a_meeting_templatexf78i.pdfIn PDF document text
    • http://fb-pageunderreview.com/xexurupubuno5j8pf.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4380068/normal_5fcf0ab4ea121.pdfIn PDF document text
    • http://lovemecompletely.com/450130152013kk8u.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481675/normal_6016fdf15a223.pdfIn PDF document text
    • http://osmosiotzs.fun/34443691399w5s9z.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/tulosa/scratch_3._0_ubuntu.pdfIn PDF document text
    • https://c2dbac7f-2075-4dc1-ad03-af0d0352bff2.filesusr.com/ugd/278743_d4531da46804479dbad23091beb69e04.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/49e173cc-94ed-485b-8890-b323eec35e4b/busagi.pdfIn PDF document text
    • https://s3.amazonaws.com/jenisozazewubo/cummins_qsc_8.3_marine_service_manual.pdfIn PDF document text
    • https://f395d2f2-f939-483b-815f-81062d4747ff.filesusr.com/ugd/be2697_8a5ee0cad66b4a5186dac3d9b803e934.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5d0b9f5b-0501-4aab-b4cc-929d52dc0d63/660855819.pdfIn PDF document text
    • https://d5e9a058-cbdc-4968-ba72-30cdbf1e36a3.filesusr.com/ugd/9cfd0a_5502f8accc094a6ea0a8363e30d827e7.pdf?index=trueIn PDF document text
    • https://d115d978-d96a-40c8-9764-5d959708fc35.filesusr.com/ugd/436160_4c47df1552be406099ed60813b764606.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gapivegek/gazadukixuj.pdfIn PDF document text
    • https://6f465708-eb37-4ee2-8658-ebeec6cd93ea.filesusr.com/ugd/4bb103_b743d49f491c4429bd035c8f2630b46c.pdf?index=trueIn PDF document text
    • https://734e8db3-b9db-457c-abaa-08c06218e7ae.filesusr.com/ugd/f6bb82_c2d37f37faf646aa862df182cde10f9c.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/be43962e-d4f6-483b-be5a-9f4e50d1f532/rowoxevena.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/50a09084-5299-4aee-9ffc-84dd9d78c5d5/zavexutuxibabubalarok.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4913e6ac-0b78-4261-9c80-e491cee3c3a2/maths_crossword_puzzles_with_answers_for_class_10_of_triangles.pdfIn PDF document text
    • https://91953a53-6f32-4f2a-9b2e-0f954541ff31.filesusr.com/ugd/dad90e_d4161633452b4ba1a7895366d7112b95.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/remavuj/what_are_financial_models_in_business.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f255.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF255 5188 bytes
SHA-256: 432f3468f258ec1d87046585b9bb45f4f03ca87a13f0378d687badec97569ff2
font_01_sfnt_off00010411.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10411 11240 bytes
SHA-256: 889875688da4b8f14f7b6c9a1a51dbd347d003e224f61646f97eb5738821cf9b
font_02_sfnt_off00012a9c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12A9C 16204 bytes
SHA-256: e93acd332f5893643511f4cefd38969ad5c744ad1b08842a788b6be7d277dd15

Open this report in the interactive analyzer, or submit your own file for analysis.