Malicious PDF — malware analysis report

Static analysis result for SHA-256 70c6446097e10b85…

MALICIOUS

PDF

74.8 KB Created: 2021-09-20 20:34:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: f0a59ba332450a805a6d1b59f96f3041 SHA-1: 43b79a8c8703c7d25b68f2da7763ee5b094c4ae2 SHA-256: 70c6446097e10b85c3d811c19d443baf2163ff61df3bc44b9f309aa06fd9178b
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as a malicious PDF by ClamAV and an ML classifier. It contains numerous embedded URLs, many of which point to disposable hosting and are part of a link farm, suggesting a phishing or malware distribution scheme. The PDF_SEO_DISPOSABLE_LINK_FARM heuristic further supports this, indicating a deliberate attempt to create a large number of low-quality links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5898

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/uplcv?utm_term=compare+android+and+ios+mobile+operating+systems PDF link annotation
    • http://ladna.pl/user_images/file/juzimomode.pdfIn PDF document text
    • http://darstin.com/userfiles/files/21686060551.pdfIn PDF document text
    • http://www.americaninvest.net/upls/files/maxafogijuwekivoj.pdfIn PDF document text
    • http://goddesshair.net/upload/users/files/11290621197.pdfIn PDF document text
    • https://www.tctnanotech.com/wp-content/plugins/super-forms/uploads/php/files/7df52652ba36608f2f3c95e9258c03fb/6855861288.pdfIn PDF document text
    • http://bularz-auto.pl/images/userfiles/file/51547187144.pdfIn PDF document text
    • http://levakov132.ru/userfiles/file/zepofikowaripunopipeni.pdfIn PDF document text
    • http://shophouse.info/images/files/liguzofa.pdfIn PDF document text
    • http://tcihk.com/userfiles/36311767235.pdfIn PDF document text
    • http://www.w.radeton.cz/ckfinder/userfiles/files/xeberibukanuxigeduxavu.pdfIn PDF document text
    • http://willtorock.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613cf2963b1ea---bozegepusixegotep.pdfIn PDF document text
    • http://dietmoiquangle.com/webroot/img/files/23369455398.pdfIn PDF document text
    • http://audiencefertilization.com/fckeditor/editor/filemanager/connectors/php/userfiles/file/jafekijefaraleli.pdfIn PDF document text
    • http://thepokewave.com/uploads/files/41244015384.pdfIn PDF document text
    • https://www.antoniopopolizio.it/ckfinder/userfiles/files/18159993260.pdfIn PDF document text
    • http://temple.mo/userfiles/file/zojib.pdfIn PDF document text
    • http://avs-market.ru/admin/ckfinder/userfiles/files/mujoxozugisijewonuku.pdfIn PDF document text
    • https://tradingcall.in/ckfinder/userfiles/files/gavukufudiwipapalew.pdfIn PDF document text
    • https://tapuionoticias.com/ckfinder/files/vedaris.pdfIn PDF document text
    • https://momsgardenfoods.com/ckfinder/userfiles/files/5056074881.pdfIn PDF document text
    • http://nicenpos.com/userData/board/file/vimolawuxasemesudutudigin.pdfIn PDF document text
    • https://actionsporting.com/userfiles/files/7498797287.pdfIn PDF document text
    • http://avandcie-energy.com/ckfinder/userfiles/files/68805698898.pdfIn PDF document text
    • http://miyisz.com/mingyi/images/userfiles/file/buwenudixexuwopexijor.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d3d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD3D9 11020 bytes
SHA-256: 5ac9007f74e214747ce8ee2b6fdb50ce95c5248e7095ebd561633d43161dbcba
font_01_sfnt_off0000ed05.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED05 16940 bytes
SHA-256: f3d30f61233eaabcbd3901c5dca4b3a4c5851f4b0d61ed9cb78e3f6f2d8dbdb7

Open this report in the interactive analyzer, or submit your own file for analysis.