Malicious PDF — malware analysis report

Static analysis result for SHA-256 6caedff098088510…

MALICIOUS

PDF

113.5 KB Created: 2021-06-09 15:12:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 6c966ee0d662faef41f5a89abf6a744d SHA-1: aa78175312508b9d6a7273257bbabd3a5f539489 SHA-256: 6caedff09808851092a45bd7d0cba3ba475f9c961177baf259301c1c8a9bf174
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The document contains numerous links, including one pointing to 'queure.ru', which is likely a phishing or malware distribution site. The presence of embedded URLs and the heuristic identifying it as a link farm on disposable hosting suggest the primary goal is to redirect users to malicious content. No scripts were extracted, but the overall structure and URL targets point to a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/pbw?utm_term=bahubali+2+all+song+download+in+tamil PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4485570/normal_6001662c1ae90.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409107/normal_5fdc8573c6e04.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4381751/normal_5ff71b05e9534.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4478950/normal_603daaf4631e2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368984/normal_5fdb80aa89bd3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4482230/normal_5fee80d230aca.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4484631/normal_5ff7716b492fb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372681/normal_6066bfb742d5d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415077/normal_60520b60d6af9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407813/normal_60130eca0d96f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376866/normal_60160933b89ce.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://juzifezazuk.pbworks.com/w/file/fetch/144921474/list_of_common_irregular_verbs.pdfIn PDF document text
    • http://sijomirurefi.pbworks.com/w/file/fetch/144704853/40291549313.pdfIn PDF document text
    • http://giwupiraride.pbworks.com/f/typing_master_free_download_full_version_2018_for_windows_8.1.pdfIn PDF document text
    • http://pajajafilexe.pbworks.com/w/file/fetch/144748956/fedexibidumunomu.pdfIn PDF document text
    • http://degagogo.pbworks.com/w/file/fetch/144586275/11294257862.pdfIn PDF document text
    • http://gabumur.pbworks.com/f/40809564732.pdfIn PDF document text
    • http://noxiwako.pbworks.com/w/file/fetch/144759537/awaiting_your_reply_formal_letter.pdfIn PDF document text
    • http://ralogotuxa.pbworks.com/f/what_is_the_healthiest_drink_at_dunkin.pdfIn PDF document text
    • http://zegugas.pbworks.com/f/endurance_shackletons_incredible_voyage_download.pdfIn PDF document text
    • http://nuxawakaxaz.pbworks.com/w/file/fetch/144614544/48057541452.pdfIn PDF document text
    • http://wuwolufit.pbworks.com/w/file/fetch/144709551/dibujo_de_un_cerebro_para_colorear.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00018e7c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18E7C 17324 bytes
SHA-256: f2bece272fe5621de887e6009709070af5a28bb0146a9beaf091e1adba4031c1
font_00_sfnt_off00010b95.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10B95 3776 bytes
SHA-256: d7bea84525bbefdb5850337f7daf5ff5554917552b257dd0afd4411b02ea0fc5
font_01_sfnt_off00011924.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11924 5556 bytes
SHA-256: 871de3696f2bec96a7bde00c684e31298714fe55243dd007e19e2788ad065bfc
font_02_sfnt_off00012bf1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12BF1 2576 bytes
SHA-256: 87a2043b89c9a07063531d2139a53fadb97926196d7ac7c0d52e7c98e116c0e1
font_03_sfnt_off000136fe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x136FE 19320 bytes
SHA-256: c34202e73773dc7c62fa77a85b5615983f43fc541a015227a01eafab2ab2a596
font_04_sfnt_off000162db.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x162DB 14108 bytes
SHA-256: 3c252d3ce10e6af17dc62032a3f58ad2211b1dc324cd544e2198384456b9313d
font_06_sfnt_off0001a82a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A82A 3616 bytes
SHA-256: 4e2d29185b772bd8db6d0785e3a934dcaa46a57c18244caa032b234d3721fef6

Open this report in the interactive analyzer, or submit your own file for analysis.