Malicious PDF — malware analysis report

Static analysis result for SHA-256 8074f5c02df36e02…

MALICIOUS

PDF

81.6 KB Created: 2021-03-23 00:38:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 13a87cc91c67e2648808a2a198ff19ec SHA-1: 131227f150c851e307a9840a61bb501102f3f7dd SHA-256: 8074f5c02df36e02917e7af4456b7370d02b1f56c6e249df4f91205b556fd203
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was identified as malicious by multiple heuristics and an ML classifier, with ClamAV detecting it as a phishing trojan. It contains a large number of external links, many hosted on disposable domains, suggesting it is part of a link farm designed to redirect users to potentially malicious content. The document body is heavily obfuscated and appears to contain junk data, further supporting its malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/aws?utm_term=how+to+make+healthy+salad+dressing+for+weight+loss
    • http://vatemuredaxusob.22web.org/pwc_annual_report_2020.pdf
    • https://bezakolat.weebly.com/uploads/1/3/4/3/134321390/pufirisud.pdf
    • http://rogevunesopu.medianewsonline.com/how_to_draw_manga_girl_poses.pdf
    • https://xisiwazebisa.weebly.com/uploads/1/3/4/7/134758569/kuxapakup.pdf
    • http://gukivuzijisuva.getenjoyment.net/the_science_of_accelerated_learning_download.pdf
    • http://zovofuti.mygamesonline.org/will_there_be_a_sequel_to_percy_jackson_sea_of_monsters.pdf
    • http://sukalobuvigaz.22web.org/fomagovexo.pdf
    • https://vodefuba.weebly.com/uploads/1/3/4/6/134688083/0331a615456b.pdf
    • http://dojemop.mywebcommunity.org/67558775927.pdf
    • https://monotolifevi.weebly.com/uploads/1/3/4/6/134683372/5515800.pdf
    • http://mufutekuson.getenjoyment.net/32173294117.pdf
    • http://baluninelekab.22web.org/why_wont_my_alta_fitbit_turn_on.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://vipuzot.rf.gd/cuento_de_caperucita_roja_para_colorear.pdf
    • http://xevojubalane.rf.gd/bootstrap_email_verification_template.pdf
    • http://gegapitigiz.rf.gd/31206631779.pdf
    • https://48b7024d-7414-4593-b44d-ed892b96ad15.filesusr.com/ugd/3e5db3_ff328873340c42929cf9f13bce093ca9.pdf?index=true
    • https://4192d618-ecd7-4808-8485-efd4d6773ded.filesusr.com/ugd/17a5db_3c68419b19a3471397615ab04a454c9b.pdf?index=true
    • https://42190e62-4dca-482d-a077-ae7b222d7779.filesusr.com/ugd/b91392_785943b2a2d9482aa53a2187c88262bb.pdf?index=true
    • http://fogokenum.onlinewebshop.net/how_to_use_krups_machine.pdf
    • http://witoluteg.epizy.com/nhtsa_manual_2015.pdf
    • http://gajutar.onlinewebshop.net/moduvuzipekujemewutefisi.pdf
    • https://1c437d0a-cccb-4a8a-93f1-39e0b5126915.filesusr.com/ugd/b91566_a144b843d4244f01bc7c8e818b4f4799.pdf?index=true
    • http://wumepudefix.rf.gd/kuvabalil.pdf
    • http://xemubekimivimed.epizy.com/junior_assistant_question_paper_2020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f308.bin
5ba9837b19bfadcfee816093bdb83d0ac415622504c6d48331a0f999b25f2bcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF308 5328 bytes
font_01_sfnt_off0001050f.bin
f1af690cf3fbcaaceebe6906fc5e933da33776b4502361572775984e91a6f908		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1050F 10996 bytes
font_02_sfnt_off00012a82.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A82 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.