Malicious PDF — malware analysis report

Static analysis result for SHA-256 73aff54140bbfc6c…

MALICIOUS

PDF

116.5 KB Created: 2021-03-22 19:08:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 2824083452a844f0aab164bc017daee6 SHA-1: d6c8a6435b08ebe388e8d5da058df86ce58c8528 SHA-256: 73aff54140bbfc6ccabb5f56a0e1e9531ce52e463a45c614dc5c5d3e60021741
232 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple high-confidence heuristics, including a critical finding for a malicious redirector link and ML classification. The presence of a visual download button and the 'password-protected archive' lure strongly suggest a phishing or malware distribution attempt. The embedded URL points to known malicious infrastructure, indicating the document's primary purpose is to redirect users to a harmful resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=cardiologia+guadalajara+7ma+edicion+pdf+descargar In PDF document text
    • https://cdn-cms.f-static.net/uploads/4414695/normal_6056da67f3964.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4453907/normal_5ffe8a7404193.pdfIn PDF document text
    • http://usesoda.pro/jokofujujalibosofaglvihl.pdfIn PDF document text
    • http://gebigulexejo.sportsontheweb.net/schizoaffective_disorder_bipolar_type.pdfIn PDF document text
    • https://zitudoxe.weebly.com/uploads/1/3/1/4/131437236/nisoku_vawezevaw_mepajoxanewe.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4456369/normal_5fd39eb03badf.pdfIn PDF document text
    • http://pogadai.xyz/ressentimento_maria_rita_kehlv7tqk.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4454287/normal_60249cc58f474.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4468553/normal_601bc24bcbd68.pdfIn PDF document text
    • https://buneresax.weebly.com/uploads/1/3/4/4/134478328/7417545.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369166/normal_604a65235c76d.pdfIn PDF document text
    • http://antonioit.space/64240298288rt9y4.pdfIn PDF document text
    • https://pimakesoxokozo.weebly.com/uploads/1/3/4/0/134041299/tusetijebemudutuw.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4401515/normal_6008843ae564b.pdfIn PDF document text
    • http://studytogether.fun/71759540794gr5zg.pdfIn PDF document text
    • http://rubewox.sportsontheweb.net/mubapoworufetujejetasag.pdfIn PDF document text
    • http://boost-store.net/fetokujesezezusaplaoa.pdfIn PDF document text
    • http://flowerport.market/how_do_you_remove_the_head_of_an_oral_b_battery_toothbrushumkyw.pdfIn PDF document text
    • http://naturagrush.space/xofojubasavovsdy8.pdfIn PDF document text
    • https://fopabitibomasad.weebly.com/uploads/1/3/1/8/131857723/b97448b9d.pdfIn PDF document text
    • http://oneshops.space/beposazarejewotuzawiar3v5.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://pavabiza.atwebpages.com/49025679862.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000142be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x142BE 6744 bytes
SHA-256: 0eac1552a6a0cc8d6d43e14f5c157d052ff2bf21460314f67a2c213e0a454e63
font_01_sfnt_off00015374.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15374 4144 bytes
SHA-256: c106d58775614b8687d2cec2364f052f47ed4182aa4439c8baa0d093ce163d71
font_02_sfnt_off00016230.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16230 5536 bytes
SHA-256: bb029b93001137fec60ac5b7923adb4252cd50941bcfa8b91f7638564463cdf6
font_03_sfnt_off000174fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x174FD 18832 bytes
SHA-256: f3ea3c9909c49c8f28dbc0c1960c28f90e49c91f21857b0a32aa5cf5113b50ca
font_04_sfnt_off0001ac5f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1AC5F 16540 bytes
SHA-256: 4dfc4be21b372af6b7d4e921fea458d8648119ae35d7676ba1dde0c3a0c963e7

Open this report in the interactive analyzer, or submit your own file for analysis.