Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a288fc15127b55a…

MALICIOUS

PDF

119.1 KB Created: 2021-05-30 19:52:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-12
MD5: 4ce9681db78ea18458cf2fb843fde2d5 SHA-1: 33a61013a8d11afb33b75d2f654f27adef070314 SHA-256: 6a288fc15127b55a048d557cdaf426662640ef332865d842f96d1c80ffde62fa
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link farm with numerous external URLs, many hosted on disposable domains, suggesting a phishing or redirection attempt. The presence of a 'download button' lure and a high ML classifier score further indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and URL patterns are consistent with a phishing campaign designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=telugu+academy+b.+ed+psychology+books+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4485162/normal_6066b8a455b74.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376858/normal_60293f956b12d.pdfIn PDF document text
    • https://buvupoxiku.weebly.com/uploads/1/3/4/3/134329971/1442160.pdfIn PDF document text
    • https://static.s123-cdn-static-d.com/uploads/4414869/normal_60afe5bd6d6a4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4479942/normal_6061c5b6dcbc4.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4427097/normal_6001efbf41594.pdfIn PDF document text
    • https://tekeginisexufu.weebly.com/uploads/1/3/1/3/131381150/wanigopomiz.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388421/normal_6025c387bb342.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367656/normal_6043c0c7b7f10.pdfIn PDF document text
    • https://wolapegod.weebly.com/uploads/1/3/0/7/130776073/sigekigulex_dutagozuzagemes_firewosoxabun_kilexofinonif.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4409393/normal_5ff8fc4e2ea6a.pdfIn PDF document text
    • https://nitiduzumamojas.weebly.com/uploads/1/3/7/5/137506598/a43f3f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4469136/normal_6029cdd00dfc2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4401712/normal_6067d13487fb9.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4421350/normal_60091d6148ad3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4402533/normal_5fd0af4db9ad2.pdfIn PDF document text
    • https://liroxinumapidaz.weebly.com/uploads/1/3/5/3/135348088/voruxemod.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://uploads.strikinglycdn.com/files/c46a14dc-a2b8-44c9-a488-daa21bd8b5eb/amazon_writers_income.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bdef0ca1-8a32-461d-af9e-c1c31f63cbaa/kugilufa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8eeb151f-4e38-45b8-9a6e-1bd871c46b89/16639106961.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/835af5e4-ac5a-4614-98af-9841621633e5/65390054914.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2c0b73eb-6c17-4de6-be1c-248827028df6/xafunevajafug.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/16a6e92b-9b54-4c30-8c03-1a44a780de43/uniden_bcd396xt_firmware.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014ba8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14BA8 5760 bytes
SHA-256: 8d7b9f1fe7760f8caac32c2b4391f5cc361acbe72fc2fe5cfa8bae8a46375da5
font_01_sfnt_off00015f29.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15F29 8428 bytes
SHA-256: 8723c21b1085fd042bad772a13d68c7b8ec1211db6e1c004983d47477eea4822
font_02_sfnt_off00017935.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17935 12032 bytes
SHA-256: d1ac97114710c8add3b10a65576ff3585da4b4f8e112142a0be1e5a67e135831
font_03_sfnt_off0001a25a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A25A 14596 bytes
SHA-256: fee577a3ec38da2af923c04018c518fcf2ca909bd6665be470a61392a4562a3e