Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b9e2d5e75a9cf4b…

MALICIOUS

PDF

148.3 KB Created: 2021-06-09 03:18:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: bd5d2cd72986dadd22e7bb3f09fce5d0 SHA-1: 04f63ff67ee6b5afa13fa4453e070b7c48db76aa SHA-256: 7b9e2d5e75a9cf4b35c8144929387fc8b81b48b8a6f742bde0afb8ee2c292fc4
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external URIs and is flagged as a link farm on disposable hosting, indicating a likely phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards an attempt to redirect the user to malicious content, potentially leveraging embedded JavaScript for execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9519

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/pbw?utm_term=review+of+related+literature+about+banana+peel+as+bioplastic PDF link annotation
    • https://mekujukoner.weebly.com/uploads/1/3/4/7/134715553/tusefivafidos_tadivajisuxofit_wibegusamiropox.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4403407/normal_5fcd4fd51166a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476281/normal_5fe7e04ec81f2.pdfIn PDF document text
    • https://melajepanaxon.weebly.com/uploads/1/3/5/3/135398769/99d74d658394.pdfIn PDF document text
    • https://jirozonuk.weebly.com/uploads/1/3/1/6/131606844/mozeperadov-lusefapokoxuzuz.pdfIn PDF document text
    • https://zimavilagapiwe.weebly.com/uploads/1/3/2/7/132712623/mumegipubuj-fejuzij-tevizu.pdfIn PDF document text
    • https://ruxosegid.weebly.com/uploads/1/3/4/2/134265817/jusaxalamebatimoxuv.pdfIn PDF document text
    • https://gakififevorejep.weebly.com/uploads/1/3/1/8/131872199/kodexeluzuvebar.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4480880/normal_601e32c216c06.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4475988/normal_5fc726b0216ba.pdfIn PDF document text
    • https://vigenawora.weebly.com/uploads/1/3/4/4/134495248/5825412.pdfIn PDF document text
    • http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.orgThisIn PDF document text
    • http://www.fontrix.comhttp://www.nhncorp.comIn PDF document text
    • http://risoxef.pbworks.com/f/frontline_commando_d_day_hacked_version_free_download.pdfIn PDF document text
    • http://rugewenuzed.pbworks.com/f/12147036477.pdfIn PDF document text
    • http://vogituvu.pbworks.com/f/hum_saath_hum_saath_saath_hain_full_movie.pdfIn PDF document text
    • http://lakiluxodev.pbworks.com/f/76473374294.pdfIn PDF document text
    • http://sejiliki.pbworks.com/w/file/fetch/144553701/mutekebimu.pdfIn PDF document text
    • http://nolumemonip.pbworks.com/w/file/fetch/144528528/53771584692.pdfIn PDF document text
    • http://zuvumuname.pbworks.com/f/where_can_i_get_free_brushes_for_procreate.pdfIn PDF document text
    • http://wenitat.pbworks.com/f/miraculous_season_3_episode_1_online.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://scripts.sil.org/In PDF document text
    • http://scripts.sil.org/OFLAbyssinicaIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001bcf3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1BCF3 1740 bytes
SHA-256: 8a3742adb091f0f36bfb8c396f6a2087a749b56e5acb194333827086ef629055
font_01_sfnt_off0001c5a3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C5A3 5448 bytes
SHA-256: 74f3a42ed8046706fa21b82d8b924c24ff1d8f92100800a8a2dd6f832ead00b8
font_02_sfnt_off0001d84d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D84D 21108 bytes
SHA-256: e299d682144afa5b4058d440624bc246cd7e6f6f0b4a92edb4b61f985bca47ca
font_03_sfnt_off0001f83d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F83D 4324 bytes
SHA-256: 41fc7fc17a8f5f3eee65ef0bd2ff94dc96218df48a41ef802bf992b061012d3b
font_04_sfnt_off000209ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x209BA 12484 bytes
SHA-256: 872af34759d742ee32aaec8985e49a8b1d486f3c1848ff7d986e331c2fdf34a4
font_05_sfnt_off00023380.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23380 2852 bytes
SHA-256: 5f498f95ef14eda652cef7cba1b07634ea99186a31961713636071ebe0055420

Open this report in the interactive analyzer, or submit your own file for analysis.