Malicious PDF — malware analysis report

Static analysis result for SHA-256 851226d7ecfb02bd…

MALICIOUS

PDF

81.3 KB Created: 2021-03-27 16:55:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b2a09d96c2a64cbc38a9350398b9ffc SHA-1: dcfa21fb7b7acec78a0cbfc84f042dd14539eeb5 SHA-256: 851226d7ecfb02bddd68eccf23c96f29b57f778343c742da4df2f71819bf07e5
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains numerous embedded URLs, many pointing to disposable hosting, suggesting a link farm designed to redirect users to malicious content. The PDF's structure and embedded URIs strongly suggest it's part of a phishing campaign or a downloader for further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/123?utm_term=generos+periodisticos+reportaje+interpretativo
    • http://sopafekidis.sportsontheweb.net/byzantine_art_and_archaeology.pdf
    • http://jologedeb.getenjoyment.net/bern_s_steakhouse_wine_list.pdf
    • http://tifalez.iblogger.org/why_is_my_swamp_cooler_not_cooling_my_house.pdf
    • http://nopopoxozexa.iblogger.org/64343278541.pdf
    • http://vomidujoma.scienceontheweb.net/kindergeld_2020_antrag.pdf
    • http://pusewuvi.medianewsonline.com/gedatejikogunarenoj.pdf
    • http://riragukigud.scienceontheweb.net/probability_sample_space_and_events.pdf
    • http://ximasoj.22web.org/donoremevasekaj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://susabumo.atwebpages.com/how_to_study_the_catholic_bible.pdf
    • http://ginisanekuxowo.epizy.com/augustine_confessions_book_8.pdf
    • https://02bc4616-4eae-4b38-b2c9-0e654f754ee0.filesusr.com/ugd/069df5_92da864a6c254becbc04ad7a43435469.pdf?index=true
    • http://nidemavaguwagev.rf.gd/exercicio_de_botanica.pdf
    • http://biwipekimati.rf.gd/organic_chemistry_alkanes_worksheet.pdf
    • https://ff4d9611-e7ea-45f2-85d3-f0b464ef817f.filesusr.com/ugd/48f461_64fe0ba208f54dfe836c37ef97e15304.pdf?index=true
    • https://bad3f395-1638-4667-b349-d6f934eeab49.filesusr.com/ugd/ed2d23_0a1159a3a1614450912f54d98fe670b4.pdf?index=true
    • http://luzavevamafidix.epizy.com/wixikoxozarelo.pdf
    • http://totepotolijezib.rf.gd/67372606253.pdf
    • https://923a8ca3-316b-4844-b38f-9bc955ad4852.filesusr.com/ugd/312e0e_1c0260c3a46f4ec4877b17be9e58dde3.pdf?index=true
    • http://xewaxal.epizy.com/odia_new_movie_blackmail_song.pdf
    • http://kavibajegis.onlinewebshop.net/xajirazokuvof.pdf
    • https://da89e6ec-52f9-4c28-8de8-447a2e923c0c.filesusr.com/ugd/5e5b2a_4b145057e5f2456d9e736d757c812045.pdf?index=true
    • https://67bb8873-ca08-4da4-87c0-60a8072ebff6.filesusr.com/ugd/a838c0_30940ffe0ad14176a1a063a705e7f3f3.pdf?index=true
    • https://f1801c53-b3f5-4b94-a9b3-4bb8eb376a66.filesusr.com/ugd/af633f_8ffc229a0f0943d9b3ca7096e5d3d5a1.pdf?index=true
    • http://fukesok.rf.gd/97353895159.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd72.bin
77b6c51ca545b7bf98e98ab4fd92dc42ecbf8e7198f9ec24f5340a5dc1b67041		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD72 5204 bytes
font_01_sfnt_off00010f42.bin
b6634dd83327c9f1808e19edcd948b14223587545a9213b44eca37f6c6a7a9df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F42 11980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.