Malicious PDF — malware analysis report

Static analysis result for SHA-256 6909d5450e9a855c…

MALICIOUS

PDF

58.1 KB Created: 2021-09-21 02:34:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-03
MD5: 4c2be9ff217857d2077808a9e3a1a457 SHA-1: 78b6d81f7f22c1d95fced2ec75504e5781219416 SHA-256: 6909d5450e9a855c25c4bffed60e53a598a2848466deea9c2246d69dae43c368
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous external URIs, including one pointing to a raw IP address, suggesting it functions as a link farm or downloader. The PDF structure and embedded content, despite being heavily obfuscated, are consistent with phishing or malware distribution tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6068

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bridgeonlaw.com/filespath/files/20210910115622.pdf In PDF document text
    • https://hanoihome.net/img_duhoc/files/jeletan.pdfIn PDF document text
    • http://swhos.com/upload/files/kadozisewa.pdfIn PDF document text
    • https://barcelonacentremedic.cat/files/galeria/files/futomodofovoj.pdfIn PDF document text
    • https://airxps.com/userfiles/files/sitezozolevanuxaxu.pdfIn PDF document text
    • http://bippex.com/filespath/files/20210915192027.pdfIn PDF document text
    • http://krr-nfe.com/suratnfe/UserFiles/File/didetoxejiwu.pdfIn PDF document text
    • http://zespolbahamas.pl/zdjecia/file/44781215076.pdfIn PDF document text
    • http://ulsantour.com/FileData/ckfinder/files/20210913_299396888BBFB4A1.pdfIn PDF document text
    • https://birsamundapark.in/userfiles/files/famafuzarobekizugo.pdfIn PDF document text
    • http://www.yevres.fr/ckfinder/userfiles/files/9421749485.pdfIn PDF document text
    • https://officialbacknumber.com/editor_up/xaxibe.pdfIn PDF document text
    • http://140.121.125.49/ckfinder/userfiles/files/20210905_014803.pdfPDF link annotation
    • http://dkind.net/userData/board/file/27681861035.pdfIn PDF document text
    • http://annabarons.lv/files/files/3061092510.pdfIn PDF document text
    • https://smartstone.ca/userfiles/files/mukupofogomixaxasagejuz.pdfIn PDF document text
    • http://mdsalon.ru/img/lib/file/pozirenenejaguliwujakil.pdfIn PDF document text
    • http://tivati.com/uploads/userfiles/file/pigegisozakumofelutopiw.pdfIn PDF document text
    • http://teplorium.su/userfiles/file/85943319688.pdfIn PDF document text
    • https://ezgoe.com/10005001208290177/ckfinder/userfiles/files/47464744044.pdfIn PDF document text
    • https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/05176e5631bbcdcdb768458740b486af/retuxosizomigugug.pdfIn PDF document text
    • http://ondrejkocar.cz/img/file/22272214045.pdfIn PDF document text
    • http://1night2daytour.com/ckupload/files/verokatidopesu.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=digimon+world+2+iso+downloadPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d3c0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD3C0 10568 bytes
SHA-256: 26b8397a8766d81a3811d78d1524ff9cf6e74b111b319a3a81951712b75013ea