Malicious PDF — malware analysis report

Static analysis result for SHA-256 847cdb7c3bdef63f…

MALICIOUS

PDF

55.1 KB Created: 2021-10-02 14:52:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-02
MD5: 73a7057b82c57f49aab5f70735c1f007 SHA-1: bc3e4aa5fafcfdfc42490cbdf9d2b3bb943c374b SHA-256: 847cdb7c3bdef63f56be94b67c4fbec43ac4bbab8e461cd32d9edf31e1fe617b
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are hosted on disposable domains and appear to be part of a link farm. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or redirecting users to malicious sites. The presence of embedded URLs and the PDF_URI heuristic further support this, suggesting the document's primary purpose is to drive traffic to these external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8039

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/uplcv?utm_term=tables+1+to+20+pdf PDF link annotation
    • https://fleuriste79.fr/ckfinder/userfiles/files/samajisute.pdfIn PDF document text
    • http://3duct.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614af303ab3d1---69212664852.pdfIn PDF document text
    • http://xn----9sbbnbtte4cyg.xn--p1ai/ckfinder/userfiles/files/supilawagisivenu.pdfIn PDF document text
    • http://syntrend.critical.tw/upload/files/96351153797.pdfIn PDF document text
    • http://huijingweb.com/upload_fck/file/2021-9-6/20210906223325971286.pdfIn PDF document text
    • http://safetruck.gr/images/file/49303429164.pdfIn PDF document text
    • http://sun-green.eu/ckfinder/userfiles/files/17039325490.pdfIn PDF document text
    • http://czyxchem.com/upload/files/luletukavixozorinav.pdfIn PDF document text
    • https://parkettworld.com/upload/files/subigox.pdfIn PDF document text
    • http://darstin.com/userfiles/files/95675712320.pdfIn PDF document text
    • http://themultifold.com/wp-content/plugins/super-forms/uploads/php/files/l5cusdept4oop6g3v0l96amks5/xikigesomojofivigalov.pdfIn PDF document text
    • http://makairways.in/home/makairways2017/public_html/dowalumniusa/ckfinder/userfiles/files/zupunexolegozakeputa.pdfIn PDF document text
    • https://mundolibre.cl/uploads/userfiles/files/padifarewisel.pdfIn PDF document text
    • https://aromamarketing.md/img/files/71057774290.pdfIn PDF document text
    • http://dgelc.com/userfiles/file/20210905030051.pdfIn PDF document text
    • http://chatyzvule.cz/uploads/figujabaxatimakibidapuj.pdfIn PDF document text
    • http://eldorautomaticgates.com/UserFiles/file/34754168843.pdfIn PDF document text
    • https://sabunwangi.com/contents/files/gerosudoborovirupila.pdfIn PDF document text
    • https://trainova.com/userfiles/file/talabiru.pdfIn PDF document text
    • http://erbamedica.org/userfiles/files/94674602775.pdfIn PDF document text
    • https://sreekanakananda.com/ckfinder/userfiles/files/10702053657.pdfIn PDF document text
    • http://js-space.de/userfiles/file/5871252681.pdfIn PDF document text
    • http://brcassociati.com/userfiles/files/59387902834.pdfIn PDF document text
    • http://zatacorp.com/upload/files/92693242085.pdfIn PDF document text
    • http://apexnepaltravel.com/userfiles/file/99479224068.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000af8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAF8A 15620 bytes
SHA-256: bd1e9a77e3c89e9e33b060d33e1ba35397c3b05850a5a8f1966c64415090a78b

Open this report in the interactive analyzer, or submit your own file for analysis.