Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f0afbe29b9854c4…

MALICIOUS

PDF

61.2 KB Created: 2021-02-17 18:06:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: bd7a7b62572337cd28b995b958d7bbe3 SHA-1: 4418986a75fb55c83bc383fa64430b29a61ee880 SHA-256: 5f0afbe29b9854c41924c39ba9687c13343a6c9400be9e1447c86b514d2123e8
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged by multiple heuristics as malicious, including a critical finding for linking to known malicious redirector infrastructure. The document body contains obfuscated text and numerous embedded URLs, many of which point to disposable hosting domains, suggesting a phishing or scam attempt. The presence of a malicious redirector URL indicates an attempt to lead the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8016

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/strik?utm_term=can+you+connect+turtle+beach+stealth+700+to+pc In PDF document text
    • http://dress-russia.ru/77201201001iduot.pdfIn PDF document text
    • https://dufebekeromodi.weebly.com/uploads/1/3/0/7/130776386/9695010.pdfIn PDF document text
    • https://koxowuberes.weebly.com/uploads/1/3/1/3/131379375/fonotobipexewexova.pdfIn PDF document text
    • http://richteam.site/kleptocats_cartoon_network_gameplayjr5k7.pdfIn PDF document text
    • http://gidaxajigim.22web.org/mh_bed_cet_admit_card_2018.pdfIn PDF document text
    • http://zavudonalu.66ghz.com/74015286157.pdfIn PDF document text
    • https://bexusisase.weebly.com/uploads/1/3/4/5/134596812/5057527.pdfIn PDF document text
    • http://itslm.fun/61722006003ojhce.pdfIn PDF document text
    • http://onsideball.info/how_to_find_the_measure_of_interior_angles_in_a_polygonekan0.pdfIn PDF document text
    • https://gokotaxoka.weebly.com/uploads/1/3/4/1/134109163/kagebu.pdfIn PDF document text
    • http://rokonagusedat.22web.org/fodixepegemen.pdfIn PDF document text
    • http://lenudes.com/buxes3u6cp.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://ganasoniledaw.rf.gd/13083493278.pdfIn PDF document text
    • http://momesesewoja.rf.gd/silber_ahorn_blattform.pdfIn PDF document text
    • http://tevufom.epizy.com/96993060026.pdfIn PDF document text
    • http://bewaxupu.rf.gd/principles_of_cost_accounting_16th_edition.pdfIn PDF document text
    • https://s3.amazonaws.com/xedewofuretujo/36350860715.pdfIn PDF document text
    • https://s3.amazonaws.com/rupatojuko/toshiba_laptop_bluetooth_driver_windows_10.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cd58.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCD58 5340 bytes
SHA-256: 36e1aadb49af5d2abbbcb02b99db9a34b37db92e55c8dd2e9c88f1534dab568f