Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e6e215aba0301f2…

MALICIOUS

PDF

77.9 KB Created: 2021-03-13 18:12:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: c5cc5c2ff0b6f095939a6bd78d168d01 SHA-1: ed6a5a9ea21376c1d2d6e1071a82f75c7753372a SHA-256: 5e6e215aba0301f28402158d424b6016ddb5199a236a538306182dbbecd06f14
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains multiple suspicious links, including an invisible link to 'http://managerprogram.live/hurry_up_crossword_answermafgz.pdf', suggesting a lure to a malicious site. The document body is heavily obfuscated and contains metadata indicating it was generated by wkhtmltopdf, a tool often abused for malicious PDF creation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=bayesian+reasoning+in+data+analysis+pdf PDF link annotation
    • http://olipaka.xyz/printable_dinosaur_coloring_pages_pdo7o89.pdfIn PDF document text
    • http://copyrightproblem.com/gravograph_im3_manualsnghx.pdfIn PDF document text
    • https://cdn.sqhk.co/jedugifaxido/auihVgc/75470430502.pdfIn PDF document text
    • https://rizegenaw.weebly.com/uploads/1/3/4/1/134108854/997692d6e1f9d1.pdfIn PDF document text
    • http://sfr-espace.best/vunapulu92twr.pdfIn PDF document text
    • https://cdn.sqhk.co/mopewedote/s9CpFjg/new_bollywood_ringtones_2018.pdfIn PDF document text
    • http://1-bog.ru/narawowabonovunudoniyrt65.pdfIn PDF document text
    • http://2022god.com/how_to_use_reduced_fare_metrocarddukyn.pdfIn PDF document text
    • http://8gusevshop.space/lulizujudekudoruzasimcoom.pdfIn PDF document text
    • https://jobemorisawelav.weebly.com/uploads/1/3/4/1/134108772/wuzojimetatujo.pdfIn PDF document text
    • https://cdn.sqhk.co/rozesivotix/Qjiidgj/net_30_terms_agreement_template.pdfIn PDF document text
    • http://podipotekoi.ru/diagnostic_microbiologyrqfij.pdfIn PDF document text
    • http://swiss-family.space/85941036280b5ala.pdfIn PDF document text
    • https://mewupevubuk.weebly.com/uploads/1/3/5/3/135387541/6e1d8eded3.pdfIn PDF document text
    • https://duzunadi.weebly.com/uploads/1/3/0/9/130969775/3940105.pdfIn PDF document text
    • http://managerprogram.live/hurry_up_crossword_answermafgz.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://bevunogigofijag.rf.gd/8295036509.pdfIn PDF document text
    • http://xalelafo.rf.gd/99711058857.pdfIn PDF document text
    • http://kopipalowawaj.epizy.com/75213948270.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ded2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDED2 5360 bytes
SHA-256: 5b3d1b8ece2de2be33d1f99d536f622de974fffe7514ed3ef0008d380311bac1
font_01_sfnt_off0000f12c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF12C 10612 bytes
SHA-256: be39355dfd72d845b8c5e6641f48ab25ec2b71ab17a04a1999315f8f37f2735d
font_02_sfnt_off00011562.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11562 16060 bytes
SHA-256: 2173a1880e9f774f759393e7d0d28dda91d04d8a3eae6bea41b822770b343b90