Malicious PDF — malware analysis report

Static analysis result for SHA-256 8457db4028d19a36…

MALICIOUS

PDF

69.9 KB Created: 2021-01-01 09:57:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 5316023bed6ed5964cb4dc7ec11a92c7 SHA-1: 2dc330d3154a3dbbb4abbf920ea3fefaf3674ddc SHA-256: 8457db4028d19a3606e6bf674ab34fc1db4019ac18be06695c5a9817905c3e21
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is a phishing lure, specifically mentioning a fake invoice. It embeds multiple external links, with one prominent redirector URL leading to a suspicious domain. The ML classifier and ClamAV detection strongly suggest malicious intent, likely to redirect users to a site that hosts further malicious content or exploits.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=powerschool+mobile+app PDF link annotation
    • https://fomodaduvi.weebly.com/uploads/1/3/4/7/134700625/1ef16bd2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4392470/normal_5fd29579b00ea.pdfIn PDF document text
    • https://cdn.sqhk.co/gotirawuz/gfB5Nge/medical_mini_stroke_tia.pdfIn PDF document text
    • https://wepebajaka.weebly.com/uploads/1/3/4/5/134588919/d58dc2803d580f0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369933/normal_5f9b158ebaa9e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4392649/normal_5f9bdf805d9ab.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4401559/normal_5f95e8c8d2c5c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4461767/normal_5fadddc8940e3.pdfIn PDF document text
    • https://gapidekejoz.weebly.com/uploads/1/3/4/8/134876705/tisosadizin-dofoxigapepozu.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/bufipevuril/fugezemosafefejumudi.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d400.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD400 5408 bytes
SHA-256: fdcf4869d5cb78909b67ce1b6fad7f714c37892b0ae11335b4cf9147cc8d0ffe
font_01_sfnt_off0000e643.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE643 11008 bytes
SHA-256: f5e536177f251781765d89536f8d5479ddce32b1a1902be9cad6bbb33109ee8c