Malicious PDF — malware analysis report

Static analysis result for SHA-256 63eea62338523b70…

MALICIOUS

PDF

64.5 KB Created: 2021-10-05 09:29:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: c141767897b9efe3dbedb5879648e0e7 SHA-1: 398601e1472c5ba0736171079e4840437fafda09 SHA-256: 63eea62338523b702854f3da7ec3d580621ffdcf172d9572bfe3fd2a2aff6a91
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF document containing embedded JavaScript and numerous links to external PDF files hosted on disposable domains. The heuristic 'PDF_RANDOM_URL_LINK' and 'PDF_SEO_DISPOSABLE_LINK_FARM' indicate a strong likelihood of this document being used to distribute further malicious content, likely through a phishing or social engineering pretext. The embedded JavaScript is likely responsible for initiating the download or redirection to these malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7230

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ppfi-online.com/userfiles/file/41427113753.pdf In PDF document text
    • https://elearning-chemistry.ro/userfiles/file/86523986548.pdfIn PDF document text
    • http://www.bluefashion.cz/ckfinder/userfiles/files/dajuwedorilinovewa.pdfIn PDF document text
    • http://piannocreativo.com/js/new/fckeditor/userfiles/file/gurejarotawebitunexuteta.pdfIn PDF document text
    • http://lucidarepavimentimarmogenovaealessandria.it/userfiles/files/zafinegeruwapafij.pdfIn PDF document text
    • http://www.likoda.com.tw/upload/ckimg/files/jajede.pdfIn PDF document text
    • http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/d81e2c64f3c71360128094ece65a8174/80830534968.pdfIn PDF document text
    • http://ledseoul.com/userData/board/file/63341036759.pdfIn PDF document text
    • http://improntediteatro.it/userfiles/files/vogovukedizunokijin.pdfIn PDF document text
    • http://rewitex.pl/userfiles/file/1157308063.pdfIn PDF document text
    • https://n-v-v.dk/userfiles/file/lexunemifadapi.pdfIn PDF document text
    • http://suarezbeltran.com/aym_images/files/kosaxutizosozupigetew.pdfIn PDF document text
    • http://marcelponjee.nl/ponjeefiles/file/purenotizujedatovevozud.pdfIn PDF document text
    • http://mmbassisiprovince.in/files/js/ckfinder/userfiles/files/33862099475.pdfIn PDF document text
    • http://bpsstudio.hu/uploads/19364398948.pdfIn PDF document text
    • http://www.marcado.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1613100a0db3f3---25654580090.pdfIn PDF document text
    • http://xn--299a941ap1h.com/userfiles/file/20211005112856.pdfIn PDF document text
    • http://moscow-vernisage.com/files/files/8762355747.pdfIn PDF document text
    • https://msvadba.ru/files/file/feparotetenabisojurozidi.pdfIn PDF document text
    • https://5udua.com/contents/files/nusaguxazuxokakajeninap.pdfIn PDF document text
    • http://wx-test.com/upload/ckimg/files/202110011810035516.pdfIn PDF document text
    • http://chandravanshi.com/userfiles/file/mejerumozodugufoxuzaru.pdfIn PDF document text
    • http://i-akparat.kz/ckfinder/userfiles/files/9040725251.pdfIn PDF document text
    • http://szyqjsj.com/UploadFile/file/20210927133017716.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/Om9ozkHLxGw/uplcv?utm_term=lol+names+availablePDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bee5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBEE5 18760 bytes
SHA-256: e6fa1bb39fb237b385f6acc37ac2852bba5e6ba24a3a10381377358ddf04f65e
font_01_sfnt_off0000efe1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEFE1 10232 bytes
SHA-256: b4d9e07f13e092c6ae2ba5cb6785f499660100a186b476c7ecb0fe84298198f0

Open this report in the interactive analyzer, or submit your own file for analysis.