Malicious PDF — malware analysis report

Static analysis result for SHA-256 5176e680a27cf581…

MALICIOUS

PDF

93.1 KB Created: 2021-05-29 04:27:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 91aeb3946d8f4aa9fd003e604497b695 SHA-1: 6b6f687cebb2e0a83881b8ed7489529f508b43eb SHA-256: 5176e680a27cf581b46b7c7539d8e47bb38aba3dc337d3c188105296eb7e1ad4
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, many hosted on disposable domains, suggesting a link farm or phishing campaign. The embedded URLs and the heuristic firings indicate an attempt to redirect users to malicious sites, likely for credential harvesting or malware distribution. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/strik?utm_term=chili+movie+apk+apps+for+firestick
    • https://mixosikopas.weebly.com/uploads/1/3/4/3/134383158/fab085450ad7ed.pdf
    • https://toxinezewam.weebly.com/uploads/1/3/1/4/131452950/5571181.pdf
    • https://badetujunomut.weebly.com/uploads/1/3/1/8/131857650/926461.pdf
    • https://perumazenete.weebly.com/uploads/1/3/4/3/134374831/jopabikafenud-xoruzunoguj.pdf
    • https://wubinuju.weebly.com/uploads/1/3/4/6/134642725/59e2b5f708.pdf
    • https://nusupubibirimu.weebly.com/uploads/1/3/1/8/131871553/e1c5ee54.pdf
    • https://warororob.weebly.com/uploads/1/3/5/3/135314520/meboto.pdf
    • https://siputewebototab.weebly.com/uploads/1/3/4/4/134480832/7cba8412d40909.pdf
    • https://jufomefafuxujo.weebly.com/uploads/1/3/4/8/134890319/ziwuzudad-wegijesome-vudujogajawi.pdf
    • https://bapamebitisetup.weebly.com/uploads/1/3/4/3/134325238/ae10af7.pdf
    • https://wowupaxelisone.weebly.com/uploads/1/3/4/8/134856013/6431ccd4f.pdf
    • https://kusajigoma.weebly.com/uploads/1/3/6/0/136036420/barijepamotuduratol.pdf
    • https://tetobalowuw.weebly.com/uploads/1/3/4/5/134523757/9326533.pdf
    • https://kikokowenut.weebly.com/uploads/1/3/4/7/134713101/dewejonu-zulogivujugufan-kexajifa.pdf
    • https://pugixodazujok.weebly.com/uploads/1/3/2/7/132710779/1af3816438a3.pdf
    • https://gegelejete.weebly.com/uploads/1/3/7/5/137500710/zomexifexakef.pdf
    • https://pulimogub.weebly.com/uploads/1/3/4/3/134312020/36bfb584658ed.pdf
    • https://cdn-cms.f-static.net/uploads/4388160/normal_605b0f4ba2985.pdf
    • https://toruruxixe.weebly.com/uploads/1/3/4/6/134698343/6ce28b6aae91c0.pdf
    • https://static.s123-cdn-static.com/uploads/4382613/normal_5ffb0bdc07981.pdf
    • https://cdn-cms.f-static.net/uploads/4387417/normal_5fda838c6e0f4.pdf
    • https://cdn-cms.f-static.net/uploads/4426701/normal_60286d0d73856.pdf
    • https://xuvasilibozin.weebly.com/uploads/1/3/5/3/135335949/6b290da.pdf
    • https://tomovomat.weebly.com/uploads/1/3/4/6/134617768/159409.pdf
    • https://cdn-cms.f-static.net/uploads/4385617/normal_60571e9468aac.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012bec.bin
1982240d894aaa5f0c71cb309c81922adc3ee0f13a5acaf88ff3e508651e8274		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BEC 5284 bytes
font_01_sfnt_off00013dbb.bin
b92c56d4ae34afa15739d85826c15820c3cb770edde52ac797a36412b9275297		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13DBB 11588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.