Malicious PDF — malware analysis report

Static analysis result for SHA-256 72df1ef0f217af07…

MALICIOUS

PDF

73.6 KB Created: 2021-03-29 14:22:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 94c02affa7107919749866c244f4e976 SHA-1: 0487831f6f16af3f047d00a463281fdbcb95bd16 SHA-256: 72df1ef0f217af07d740095f00965cf987ac6a7f8ef0ec655d3fa5fd159f15fc
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, many pointing to disposable hosting, suggesting a link farm or phishing lure. The document body, though heavily obfuscated, contains metadata related to PDF creation and potentially keywords that could be used in social engineering.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9919

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/award?keyword=barbados+slave+code+1661+pdf
    • http://zisezamerares.mygamesonline.org/the_great_gatsby_chapter_7_questions.pdf
    • http://bibopasaxuvibu.mypressonline.com/xogejebazur.pdf
    • http://bovewitavivebu.getenjoyment.net/ximodedaxodovagimoren.pdf
    • http://devgame.design/jaloppvmk8.pdf
    • http://quickpapp.online/togelawilunifopifuredukab1vg4z.pdf
    • http://lojapidabud.mypressonline.com/94214136647.pdf
    • http://medtechnika1.ru/what_are_the_most_popular_books_to_readqw5hb.pdf
    • http://copyrighytsupport.com/sa_dev_kapak4odzo.pdf
    • http://50offit.pro/bosch_silence_plus_50_dba_will_not_start95ht5.pdf
    • http://xasedogamif.mypressonline.com/the_trials_of_apollo_series_paperback.pdf
    • http://50offstore.info/xegesikagabavabaua8ep.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b17eeffd-5048-4cb2-9b9c-3b52b938abf4/xuwimetigedufibetizopaze.pdf
    • https://uploads.strikinglycdn.com/files/490820e6-19db-4459-9c34-f0fd5dfad8ee/44701048541.pdf
    • https://1a73feee-b327-4bc5-ac54-9d367b44a425.filesusr.com/ugd/226baa_eb63d9a3f3c74c05ade78f76ad84d612.pdf?index=true
    • https://297de083-771a-4730-a3b8-a2afe8c7d209.filesusr.com/ugd/47424f_68b2bfde3fd9478fac2a6225ae34b349.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ff1b13d6-9e81-4b6f-843a-d634a67a6d6c/5463281552.pdf
    • https://781b76d0-895c-4d4e-90f3-491762fad171.filesusr.com/ugd/894952_c1dde451a4eb448da47d65c4cc9af2d2.pdf?index=true
    • https://64f1e6a9-4530-4009-9f9b-67b91dd69f79.filesusr.com/ugd/76b6de_f9052d38bf74422eb3b5c4cf91f12138.pdf?index=true
    • https://1c514d3f-4aca-4c14-a2cc-94ef866bc6c7.filesusr.com/ugd/860217_5527afb207894c0e90ce0c13212bf596.pdf?index=true
    • https://9c43cb74-45e3-47de-9527-fda2e8336169.filesusr.com/ugd/af0aa9_7b4cda789b6d44b0be6ab3afb2f9e92e.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb5f.bin
f94c69ab8e78b2a7c78a4e0a4b6dad7338228c62cc0a09a3c2c4369d84f91379		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB5F 5604 bytes
font_01_sfnt_off0000fe85.bin
82d1c0080e0ae3136a10e26c646659f8d79e083ad54759867686eae4fca2622d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE85 11572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.