Malicious PDF — malware analysis report

Static analysis result for SHA-256 570300f8ea8d9162…

MALICIOUS

PDF

76.5 KB Created: 2021-04-12 02:15:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: 38e067e070254463c34eae91bba53703 SHA-1: c3d80f9978594ea2288fca02890a64a818dde7f8 SHA-256: 570300f8ea8d9162080a228982240eb82cdb67b023f5b4ece7e5bf6479fd528b
352 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains multiple heuristics indicating malicious intent, including links to known malicious redirectors and a link farm designed to obscure the true destination. The document body, though heavily obfuscated, contains text related to 'business identity theft protection' and payment redirection lures, suggesting a phishing or credential harvesting attempt. The presence of numerous embedded URLs and the ML classifier's high confidence score further support this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 9

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://joxunirefebemi.weebly.com/uploads/1/3/4/3/134319414/8212943.pdf.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=business+identity+theft+protection In PDF document text
    • http://wogavuxemadirof.iblogger.org/golatovadajow.pdfIn PDF document text
    • https://joxunirefebemi.weebly.com/uploads/1/3/4/3/134319414/8212943.pdfIn PDF document text
    • https://likixadukevagal.weebly.com/uploads/1/3/4/7/134700169/fujikesebafupev-junujekube-wananaf-julewijosefefiw.pdfIn PDF document text
    • http://lg-copyrightforms.com/74655414786nm02x.pdfIn PDF document text
    • http://help-mediasupport.com/24784375731iaecs.pdfIn PDF document text
    • https://vabekozel.weebly.com/uploads/1/3/4/4/134487462/tinisisuzoxibud-fudewajaxowawom-selanukadok-gigivujenegaduw.pdfIn PDF document text
    • http://popularchoice.space/rent_assistance_form_centrelink_qldu3ndb.pdfIn PDF document text
    • http://xekevixuvojiw.22web.org/17107611103.pdfIn PDF document text
    • https://wufisosudima.weebly.com/uploads/1/3/0/8/130874090/3208205.pdfIn PDF document text
    • https://bimuwosexiwo.weebly.com/uploads/1/3/1/1/131164043/votod.pdfIn PDF document text
    • http://zuwitirub.iblogger.org/76921092905.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/bfa97d04-d83d-4d5a-a9e7-312474399f27/infinix_note_7_price_in_nepal_6gb_ram_128gb_rom.pdfIn PDF document text
    • https://d4f4546a-a836-4b3d-8651-c56b89608eca.filesusr.com/ugd/3e9e83_dd57161af57f48dfb67d60859da3466a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a83e995-3fbe-49f5-9c8a-52c51750ddc1/tagativu.pdfIn PDF document text
    • http://kerepokomodas.epizy.com/zapefej.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/82cc4cfd-5571-4062-ac23-daba87db4810/52206238842.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d41bca23-2efb-4467-a46c-d8fde4827cfc/chrome_will_not_support_flash_2020.pdfIn PDF document text
    • https://s3.amazonaws.com/bovenotojitowe/convert_date_to_string_format_javascript.pdfIn PDF document text
    • http://todubina.epizy.com/hello_brother_film_song_webmusic.pdfIn PDF document text
    • https://s3.amazonaws.com/juliziwojatige/how_to_concatenate_strings_in_crystal_reports.pdfIn PDF document text
    • https://3eeb541e-75be-486c-a732-b1e279b2a932.filesusr.com/ugd/eaab1c_b0ce8ac85ac640a98311d6783f53a816.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0200fe4f-f06a-464c-b701-503bc3641375/rowenta_handheld_steamer_canada.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eddc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDDC 5152 bytes
SHA-256: 76b0bb79975c3781f46783c5c4b9ce1402d976dd27bc3d2486ab0f90d4ff59fd
font_01_sfnt_off0000ff73.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF73 10832 bytes
SHA-256: e0ca738d295f33d98e6506b79ba43b78948cfdc217e4f0ed97830d8ae3a3fac2