Malicious PDF — malware analysis report

Static analysis result for SHA-256 5849677988456665…

MALICIOUS

PDF

74.0 KB Created: 2021-06-11 16:34:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 0e1f57373368cf4ea3b099e40b39243f SHA-1: e5b233ac913e4c6d5f359c9158c3f85c3c37edb0 SHA-256: 5849677988456665da71916c1f64b649ae5e89a0b072a027846db1188c0ea745
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many hosted on disposable domains, suggesting a link farm designed to redirect users. The presence of a "download button" heuristic and a ClamAV detection for "Pdf.Phishing.Trojan" strongly indicates a malicious intent, likely for phishing or distributing further malware. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/pbw?utm_term=android+4.4+2+settings+apk PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4479675/normal_5feea429e929e.pdfIn PDF document text
    • https://semebikifotiz.weebly.com/uploads/1/3/4/7/134752265/vowubonorexogoluni.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451556/normal_605675433e6ef.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4422378/normal_602aa477a02e0.pdfIn PDF document text
    • https://tevumusavobe.weebly.com/uploads/1/3/4/1/134108657/dedogi.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4403804/normal_5fcef7efed835.pdfIn PDF document text
    • https://gipomezaligivuj.weebly.com/uploads/1/3/5/3/135348854/wolosiravuzafanug.pdfIn PDF document text
    • https://guxojifupu.weebly.com/uploads/1/3/1/4/131438233/nejilogidaxis.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4416327/normal_5fcf270a82b9b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384650/normal_6030aa7d5bee8.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/31780ea0-434f-4b7e-8616-9b550fa5ac08/31063047117.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/09ddf507-648a-40f3-bff1-2246bf0745ca/69115542181.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/51db6e6b-ab00-4ec4-897e-4834665f1383/motorola_baby_monitor_mbp33bu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/58517da5-0d6c-4c26-a56c-d89c30973aff/sezopuzojaxoduberawitot.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bbd7556d-7fac-4e47-a215-6866e976e355/gebapomaradagon.pdfIn PDF document text
    • http://kalejesezuda.pbworks.com/f/harry_potter_and_the_sorcerers_stone_book_review_essay.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cf2e43b7-c39c-4225-a87a-7cf506a03639/natili.pdfIn PDF document text
    • http://vimadutukad.pbworks.com/w/file/fetch/144440559/kuvituvupudimepanoxa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/faa53310-f3a5-4218-9a1a-fb0a4314736a/the_mixing_engineers_handbook_3rd_edition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c23a778-da22-4040-94af-8e94364f0002/how_can_hydrogen_peroxide_cure_bv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1f583445-7996-421a-812c-469e72f781f8/how_to_make_incentive_plan_for_sales_in_excel.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e35d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE35D 5400 bytes
SHA-256: 0ac63327fcfc05850ae7268e8a0329ef57bc60ae4ddb504748fd51793581917f
font_01_sfnt_off0000f5dd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF5DD 10812 bytes
SHA-256: ae40b2974e677f2a9d07198d30eac501f190d5e9945dbcfcc466388781856eb0