Malicious PDF — malware analysis report

Static analysis result for SHA-256 641d7078d4121855…

MALICIOUS

PDF

91.1 KB Created: 2021-06-02 10:10:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dd887a2005e83f46cfef832da4b90e0d SHA-1: 740d1d164b3ef918a6fb0be48a13e0bc04eab7f5 SHA-256: 641d7078d4121855b36e262e85876e48b28abde10435a3a074a06793b69529e5
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains a large number of external links, many hosted on disposable domains, indicating a link farm designed to redirect users. The ClamAV detection and ML classifier further support its malicious nature, classifying it as a phishing trojan. The embedded links suggest an attempt to lead users to malicious websites, likely for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5974

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/pbw?utm_term=not+that+meaning+in+urdu
    • https://jipaxebuperiw.weebly.com/uploads/1/3/4/7/134751602/632433.pdf
    • https://pimupaxepa.weebly.com/uploads/1/3/1/8/131857198/8498014.pdf
    • https://vukegodepobaxi.weebly.com/uploads/1/3/4/6/134676750/7075412.pdf
    • https://cdn-cms.f-static.net/uploads/4375196/normal_606e1c26ce7df.pdf
    • https://dexugagemer.weebly.com/uploads/1/3/4/7/134715037/rizana-putapo-jijowifonig.pdf
    • https://jimakujomeda.weebly.com/uploads/1/3/4/4/134438408/jopolupi-pulasirolaxizex.pdf
    • https://static.s123-cdn-static.com/uploads/4422640/normal_5fe5bd5d92570.pdf
    • https://pelepidavivi.weebly.com/uploads/1/3/1/4/131454492/d18a1b2b.pdf
    • https://cdn-cms.f-static.net/uploads/4407552/normal_601564e0c0713.pdf
    • https://cdn-cms.f-static.net/uploads/4459777/normal_60344f4f783e5.pdf
    • https://jopalezaleloloj.weebly.com/uploads/1/3/1/3/131380469/xevajomirow.pdf
    • https://kubuvapag.weebly.com/uploads/1/3/0/7/130776206/munexarimatogizu.pdf
    • https://ridegagix.weebly.com/uploads/1/3/4/6/134668883/b7f61b40f4.pdf
    • https://xaviloxoganobe.weebly.com/uploads/1/3/1/3/131383750/sadudusip-busuwepigozudi-migufevonoz.pdf
    • https://static.s123-cdn-static.com/uploads/4459941/normal_5ff88a0457a68.pdf
    • https://gefatute.weebly.com/uploads/1/3/5/3/135345711/d6598950.pdf
    • https://xonufukagupunim.weebly.com/uploads/1/3/1/3/131384400/9fc56cbe52c051d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c12efda6-d295-4d13-a35a-17d1c33b1743/the_boy_in_the_striped_pajamas_chapter_4-6_summary.pdf
    • https://uploads.strikinglycdn.com/files/ddceca73-9207-4b53-9604-f6fd975781d7/behringer_xenyx_1202_usb_manual.pdf
    • http://vimadutukad.pbworks.com/f/67872252872.pdf
    • http://nukuxim.pbworks.com/w/file/fetch/144487545/covid-19_medical_certificate_format_download.pdf
    • https://uploads.strikinglycdn.com/files/ec68fcfb-5095-4aa8-960c-7cc7756073f9/kowufemoxuzibo.pdf
    • http://zilebunod.pbworks.com/f/4460111810.pdf
    • https://uploads.strikinglycdn.com/files/3437b38f-c752-49ca-a3ff-4eb5556b2c78/libro_de_historia_de_mexico_2_grado_de_secundaria.pdf
    • http://gitefov.pbworks.com/f/xujewigetofugalo.pdf
    • http://dejavu.sourceforge.net
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00015422.bin
fca6cdf1765f77fde9dbc29ddb28b7940432cb00a175f04b53cdf9c261f9baef		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15422 16708 bytes
font_00_sfnt_off00011c48.bin
e5ad4d76c780319445b303329b0dce4b0abed9cb23c5b2acd06d214b343cd4a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C48 5000 bytes
font_01_sfnt_off00012d1d.bin
3c81ac0959e0b7ca6dfbe870740d216673b14552758603481a7715da1f05d37d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D1D 11416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.