Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ed91cd29589be79…

MALICIOUS

PDF

76.3 KB Created: 2021-03-28 17:49:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5427c5b5c8937e1980204063b76fef48 SHA-1: 6832b7ed4b4a40513636195a195984760cb49442 SHA-256: 6ed91cd29589be79f30ee62c7228ec405803cf9a656c040b918745be5a4c4082
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of embedded links, with one identified as a malicious redirector. The ML classifier and ClamAV also flagged this PDF as malicious, indicating a phishing or trojan-like behavior. The primary function appears to be directing users to potentially harmful external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6986

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=descriptive+paragraph+graphic+organizer+pdf
    • http://dibozakik.22web.org/office_365_admin_center_guide.pdf
    • https://cdn-cms.f-static.net/uploads/4409405/normal_5fda5e928f349.pdf
    • http://top-odejda.com/jalakedanojotujyiam4.pdf
    • https://cdn-cms.f-static.net/uploads/4451940/normal_605677737315c.pdf
    • https://dasajusowerav.weebly.com/uploads/1/3/1/6/131637273/vixilafatokados_juxuzob_ponavibajumixex.pdf
    • https://jijoforupet.weebly.com/uploads/1/3/4/8/134864875/naginifagetedebimuko.pdf
    • http://gipovasota.sportsontheweb.net/grammar_for_english_language_teachers_parrott.pdf
    • http://lukisasore.mywebcommunity.org/bebixofupiner.pdf
    • https://nujuwededewomoj.weebly.com/uploads/1/3/4/3/134305400/7450247.pdf
    • https://cdn-cms.f-static.net/uploads/4415065/normal_6054380b8f6c7.pdf
    • https://petenugilamabo.weebly.com/uploads/1/3/1/4/131453278/445e748ee.pdf
    • https://cdn-cms.f-static.net/uploads/4479675/normal_6018bc18bbbb4.pdf
    • https://vunukufe.weebly.com/uploads/1/3/4/6/134640969/xigat.pdf
    • http://acupofjacob.com/sun_tzu_art_of_war_business_strategy941bp.pdf
    • https://cdn-cms.f-static.net/uploads/4406466/normal_6017a623cdd28.pdf
    • http://malanefire.sportsontheweb.net/why_is_my_washing_machine_filling_up_with_water_when_not_in_use.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b3159766-6c8b-4733-a97d-e59ef6783693.filesusr.com/ugd/21851e_4aea53aa1c0d44a8a7eeef0f7142ab5e.pdf?index=true
    • http://rixefixefasi.rf.gd/the_standard_apartments_scottsdale.pdf
    • http://josesomesube.myartsonline.com/begin_the_beguine._partitura.pdf
    • https://f3874c2d-c116-49c2-b7b6-9300dc8fc43e.filesusr.com/ugd/b11f6d_f5c0aecb787348239c88d6d0e12282ea.pdf?index=true
    • http://wavexijazibivat.myartsonline.com/toposijodaxigetabot.pdf
    • https://b6f97e74-198a-461d-a312-d71b9712332b.filesusr.com/ugd/a2d007_3c461b17200b453c969a538452946ba3.pdf?index=true
    • https://8b7199fc-a029-4910-8138-caee300d1cbd.filesusr.com/ugd/da8f68_5267e7b3008d4a098b26f687e11a5252.pdf?index=true
    • http://sasovekefuw.rf.gd/water_auditing_process.pdf
    • http://nederanunotaz.rf.gd/is_milk_and_honey_nonfiction.pdf
    • http://witasovi.rf.gd/qualitative_data_analysis_tools_software.pdf
    • https://af18ad75-7652-4b25-b9e0-8da5fded0af1.filesusr.com/ugd/529385_b25e5ed8b04a4cd3979e34201bc20456.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f344.bin
774db2ae03471dde30747a4f91a4c2c5f5072002da9dd82695339c11c696ccbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF344 5492 bytes
font_01_sfnt_off0001060a.bin
6813c34fd6fdf019f460a502f64dc6c1d097891da717cb2d8c98688cef94eb4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1060A 11364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.