Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b5a77cb055224cc…

MALICIOUS

PDF

95.7 KB Created: 2021-09-20 02:47:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 6845199fa772f3f66f532ae99485887e SHA-1: e44ee4ed6921cb92a39f9ef2b9b8364df2630087 SHA-256: 7b5a77cb055224cc397b6d403a1bafa1d13c2c330b658b6d5ec742e01ff525de
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous embedded URLs that redirect to other PDF files, suggesting a link farm or redirection chain. The PDF_SEO_DISPOSABLE_LINK_FARM heuristic further supports this, indicating a pattern of using disposable hosting for these links. The primary attack pattern involves redirecting users through a series of links, likely to a phishing page or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/uplcv?utm_term=0+0+0+1
    • http://huerural.com/uploads/image/files/kesewoxibog.pdf
    • http://kftchem.com/upload/files/zopidotezegakuzapubiguxom.pdf
    • https://ceylanotel.com/firma/files/70641324455.pdf
    • http://gsemilia.it/userfiles/files/rolifitozo.pdf
    • http://arcenevents.nl/site/upload/files/82259656687.pdf
    • https://cli-kh.com/uploads/files/202109052257251315.pdf
    • https://www.hdcorp.com.br/wp-content/plugins/super-forms/uploads/php/files/q3r7bppdednppkfstqeradvh0m/zoxisiba.pdf
    • http://groupementpecheduloir.com/ckfinder/userfiles/files/nixemavinawe.pdf
    • https://jfava.gemwareserp.com/userfiles/file/44646508919.pdf
    • https://pmapmc.com/userfiles/image/files/ninosawimosawemufuj.pdf
    • http://tccsrl.org/userfiles/files/xikagobibotinid.pdf
    • http://xn--b1akwe.xn--p1ai/userfiles/file/sijimesedazimaxibosubi.pdf
    • http://i-physiology.ru/upload/mimazetapekolikotad.pdf
    • https://40parables.com/wp-content/plugins/super-forms/uploads/php/files/a4db3d057c76f58a9edfe33868a38648/menuxawemizi.pdf
    • http://bharatandcompany.in/ckfinder/userfiles/files/vibugirupopo.pdf
    • https://safetypadlocks.eu/eurostyl/photos/file/94521260647.pdf
    • http://rialta.ie/userfiles/files/63182907364.pdf
    • https://telorgabus.com/contents/files/8939491674.pdf
    • http://sun-green.de/ckfinder/userfiles/files/52360327588.pdf
    • http://intelekt.biz/uploads/pages/files/99296011474.pdf
    • https://12shio3.com/contents/files/pisanezusewexap.pdf
    • http://chingyi.tw/userfiles/files/lilimagiv.pdf
    • http://chipgene.com/image/files/20210908_211555.pdf
    • http://ombs.ru/uploads/files/xuzusawigolisarofazuminu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010f95.bin
76ba72d76633f891768166c288dbb290636de4f5ba39cd0f67887b4fbcf24400		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F95 20856 bytes
font_01_sfnt_off00014648.bin
b8a0d75874c9e4a08203b37538c95b047bbc7320d5342648ed30ecb287af4dd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14648 9156 bytes
font_02_sfnt_off00015956.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15956 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.