Malicious PDF — malware analysis report

Static analysis result for SHA-256 758319e426ad94bd…

MALICIOUS

PDF

70.7 KB Created: 2021-04-14 00:26:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 37eaed0a4cf58b240e0e1b3c42311e09 SHA-1: f09aa57c8d7abfa6a172ce026f8218d3b188bc9d SHA-256: 758319e426ad94bd582253eaa00b473f13631f5b5e1f3821362fcf193e28030d
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a high likelihood of malicious intent. The document body, though heavily obfuscated, suggests a lure related to stock trading. The presence of numerous external URIs, many pointing to disposable domains or link farms, strongly suggests this PDF is designed to redirect users to malicious websites for further exploitation or phishing. No scripts were extracted, but the PDF structure and URL patterns are indicative of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9701

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.osgeurope.com/sites/osg-corporate.dev/files/webform/zizepuniket.pdf
    • https://www.newburghgroup.com/sites/default/files/webform/resumes/tikijoti.pdf
    • http://www.pbttphtk.gov.my/sites/default/files/webform/73261430544.pdf
    • http://www.pacificsportfraservalley.com/sites/default/files/webform/joxelivoresilawefuxeli.pdf
    • https://architecturaldesigninc.com/sites/default/files/36110977311.pdf
    • https://www.mothercare.ro/sites/default/files/webform/resumes/xigidaz.pdf
    • https://www.dgs-interparts.be/sites/default/files/jinez.pdf
    • http://www.friendlycc.com/sites/default/files/webform/kilolegejesap.pdf
    • https://ambrose.edu/sites/default/files/webform/bunovodedodasu.pdf
    • https://natsihwa.org.au/sites/default/files/webform/46250275999.pdf
    • https://www.enwidth.com/sites/default/files/webform/resumes/fudigebifofonixetizitalu.pdf
    • http://www.muttypawsacademy.com/sites/default/files/webform/vaccines/72246142748.pdf
    • http://www.pbttphtk.gov.my/sites/default/files/webform/3018222411.pdf
    • https://www.enwidth.com/sites/default/files/webform/resumes/75468476758.pdf
    • https://www.osgeurope.com/sites/osg-corporate.dev/files/webform/tajiwugebewozebukak.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/ngfLrbzwjls/uplcv?utm_term=panduan+belajar+saham+pdf
    • https://drones.princeton.edu/system/files/webform/94207829768.pdf
    • https://campusrec.princeton.edu/system/files/webform/rilawadabovoxilezevateg.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e132.bin
a5d337db1df764f15ca3e28a1e25d6e92e8afb0e6768b6acce68d8aac1afe04f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE132 5496 bytes
font_01_sfnt_off0000f3b5.bin
e59b0dca1779038f3e90c9913c606e290ec3eeaea1fa66a9af893250620244b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3B5 10556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.