Malicious PDF — malware analysis report

Static analysis result for SHA-256 59abd99ac6ce31bc…

MALICIOUS

PDF

174.4 KB Created: 2021-03-18 12:16:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: a670168e7f329322aa24fbd7146bc068 SHA-1: 7824d6e1e2a35d1e3bb8f67971e84c1695b34de1 SHA-256: 59abd99ac6ce31bce057bd2607574eb3d72f984690750618eb05f1a4e2952f53
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with at least one identified as a malicious redirector. The document body, though heavily obfuscated, appears to contain text related to search queries and document titles, suggesting a phishing or scam lure. The presence of multiple links on disposable hosting further supports this, indicating an attempt to drive traffic to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/strik?utm_term=the+jesus+puzzle+review+answers In PDF document text
    • http://medgaj.com/what_is_media_literacy_and_why_is_it_importantw8fsc.pdfIn PDF document text
    • http://net-klientov.ru/3941902028262t15.pdfIn PDF document text
    • http://stepka2016.xyz/15340721428l2gyc.pdfIn PDF document text
    • http://itclick.info/cognos_reporting_studio_user_guidetlbw6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://c7bff75e-0a19-4817-9d47-fca4cf08161b.filesusr.com/ugd/3b6424_78b892e3a5094814b7597390900f1203.pdf?index=trueIn PDF document text
    • http://kokexaxuseru.epizy.com/70108850485.pdfIn PDF document text
    • https://eee5dff6-7331-416e-acdf-593d0c386862.filesusr.com/ugd/21e9e0_6b3639d91c864698b84339ae9beca1bd.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/09dd910b-6fd1-4d2b-a8be-d9c5d2f17bd1/44160049657.pdfIn PDF document text
    • https://a179b4bb-f9e1-4b0b-8685-f881d2afde68.filesusr.com/ugd/0fdb6d_14bcfde8c64d4241961f124a0e9aa128.pdf?index=trueIn PDF document text
    • https://37bcb4aa-7747-4ff6-a352-0e22bf983c21.filesusr.com/ugd/4393d3_e5f605fe3f054650bc534cbfd2115e81.pdf?index=trueIn PDF document text
    • https://8dac4d01-2cd1-45d2-8b5f-6005f802adc9.filesusr.com/ugd/1f96ce_6f24f083613a491a8e75ae6d74cc8686.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0d837de9-2d57-4a3f-95ba-597704b021c6/61548599571.pdfIn PDF document text
    • https://9b08d158-0e0f-4203-9b31-e1272d977b1c.filesusr.com/ugd/086daf_e147ce43d47d48b28c18c064d9952e75.pdf?index=trueIn PDF document text
    • https://a79c6309-487e-499f-a993-0ac454a400c8.filesusr.com/ugd/747acf_7c030a42a6f24337945e4792861ebf72.pdf?index=trueIn PDF document text
    • https://486a928f-df87-4682-b39c-9199637d78f9.filesusr.com/ugd/982a49_466c5b1ff38b41ba81a9992c6b331307.pdf?index=trueIn PDF document text
    • http://palavujat.epizy.com/symbol_latex.pdfIn PDF document text
    • https://aa4de0c4-a7fb-47f6-97fe-5721705e71c1.filesusr.com/ugd/824332_6f489a72440642d3b883d9636507beaa.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000269f8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x269F8 5136 bytes
SHA-256: 8aa0edf2b9992edb71f659ef29088f5321c75e30388a6513c3f50a3bbc6c4924
font_01_sfnt_off00027b84.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27B84 15140 bytes
SHA-256: 68398d185446b48976a0ea8aa3ef6cfe8b3b09271cd8ae22d17f892f5738b3ca