Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a12d7eea7b29d65…

MALICIOUS

PDF

76.3 KB Created: 2021-03-23 23:14:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d53dc5beb671fe14de8a605c332f3087 SHA-1: d027d052bce737d8cfb1d975403e05af06965c3a SHA-256: 5a12d7eea7b29d65080b1fc19cf3c47e6bb738d7ec3f47f304d02d20646c78d6
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a lure related to an 'anatomy of the digestive system answer key' and embeds a URL pointing to a suspicious domain. Heuristics indicate the PDF is a link farm on disposable hosting, and ML classifiers and ClamAV detect it as malicious, likely phishing or a trojan. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9529

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/award?keyword=anatomy+of+the+digestive+system+answer+key+pdf
    • https://cdn-cms.f-static.net/uploads/4453100/normal_6016e5034bdd8.pdf
    • http://xatovapotogu.mywebcommunity.org/how_to_know_your_apple_watch_is_waterproof.pdf
    • http://kumajamefe.getenjoyment.net/dufalokodugojekine.pdf
    • http://worelimupuvefam.mywebcommunity.org/fojenedasuxadapirokaxisu.pdf
    • http://mosebuzixat.mywebcommunity.org/81113825959.pdf
    • http://bikokobolo.sportsontheweb.net/92962145856.pdf
    • http://jerunuju.mypressonline.com/jilag.pdf
    • http://rosativiwam.mypressonline.com/97682712756.pdf
    • https://cdn-cms.f-static.net/uploads/4408172/normal_603017ba183bc.pdf
    • http://pufivuziviv.mypressonline.com/99431302225.pdf
    • https://cdn-cms.f-static.net/uploads/4480170/normal_603f3ed15c52c.pdf
    • http://zomoxoxuriw.mypressonline.com/biodata_format_for_marriage_proposal.pdf
    • http://lefibipefazefep.mypressonline.com/biological_control_of_plant_diseases_book.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://50b44c92-959e-4a15-bf83-93d6b2b518d6.filesusr.com/ugd/3ed44c_02e0cef5108941899135b45bc2e24275.pdf?index=true
    • http://dilutibu.onlinewebshop.net/besos_de_chocolate_libro.pdf
    • https://d4cba69e-f3c5-4a64-9e40-69ba24924691.filesusr.com/ugd/b73feb_14689fa836e54532a6848c2dcffeb449.pdf?index=true
    • https://74a5c9af-61bb-4d76-9351-4d02c0bf652a.filesusr.com/ugd/e33828_7f360b35a951492eb67c9cd932cf4a33.pdf?index=true
    • http://sidepojedava.myartsonline.com/catholic_prayer_for_someone_with_mental_illness.pdf
    • https://9a4b5e96-23fe-4021-9525-787506808755.filesusr.com/ugd/b3318b_efb838184cb24c3c918d91a10483d7a3.pdf?index=true
    • http://vilumepidiwego.myartsonline.com/lijevusonowasa.pdf
    • http://vedixemalirugi.atwebpages.com/88497648210.pdf
    • http://runuwug.myartsonline.com/caste_certificate_application_form_ap.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f863.bin
c7e2134cde90e2a0a0a2a42d5b2b8eef7a6741c89702d11182f2dc784fa054d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF863 5728 bytes
font_01_sfnt_off00010be3.bin
a796a000710772436cb2812a3c48eb5af1a8ba0730d86f45896237305dc939be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BE3 11076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.