Malicious PDF — malware analysis report

Static analysis result for SHA-256 87b41f50bc085143…

MALICIOUS

PDF

93.0 KB Created: 2021-03-19 04:07:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13
MD5: 617d1bff168b302ee8e53ff2a2876399 SHA-1: 2ba93f0a0934e472e5fae9c2d7a9a15ee93ae6d6 SHA-256: 87b41f50bc085143d0f8164135b2b108fd9658e51f597b7b238c668cb48ca293
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a high likelihood of malicious intent. The document contains numerous external URIs and is identified as a link farm hosted on disposable domains, suggesting it's designed to redirect users to potentially harmful sites. The presence of urgency lures further supports a phishing or malware distribution attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=best+conclusions+examples PDF link annotation
    • https://cdn.sqhk.co/nufesewepi/ihhhIl7/convert_pounds_to_ounces_formula.pdfIn PDF document text
    • https://poxatekegevu.weebly.com/uploads/1/3/4/7/134753674/3333736.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4462344/normal_604f4f06bac52.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4479933/normal_5fcab02ddaca9.pdfIn PDF document text
    • https://cdn.sqhk.co/lazemowul/ugiIjif/oldest_viral_videos_on_youtube.pdfIn PDF document text
    • https://cdn.sqhk.co/vudupapuj/etmEifl/6934241247.pdfIn PDF document text
    • http://geosen.net/61314956549x6sx.pdfIn PDF document text
    • https://cdn.sqhk.co/zipedufipiz/fgfhegd/archery_master_3d_mod_apk_happymod.pdfIn PDF document text
    • http://helplnstagramoffice.com/biblia_de_jerusalenvceii.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4377935/normal_60055e83382fb.pdfIn PDF document text
    • https://molisepav.weebly.com/uploads/1/3/5/3/135347716/85eac591.pdfIn PDF document text
    • https://xagixuruzetel.weebly.com/uploads/1/3/4/3/134319769/8956797.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4444358/normal_6031498181fe0.pdfIn PDF document text
    • https://cdn.sqhk.co/fekepazerox/UAcghfR/best_spades_app_with_friends.pdfIn PDF document text
    • http://shopsmmv.site/how_to_subpoena_bank_records_in_south_africac8gf7.pdfIn PDF document text
    • http://bravos-kids.ru/tearoom_trade_definitionte74s.pdfIn PDF document text
    • https://bivufinemena.weebly.com/uploads/1/3/1/3/131380184/filutukarogebu_tigeta.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4409610/normal_6004e4d4a7a4a.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://1a447ccf-a6a5-490c-ad31-399ae8169532.filesusr.com/ugd/cf5184_8b58b692b6c84f0d98d18ff3d145b52e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/ebf62b63-990b-44b4-b906-0b85b3fba1ea/how_much_is_a_hybrid_battery_for_a_honda_civic.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fdcac7bd-1db0-41af-be21-de3974a99bdb/libro_de_fisica_2_secundaria_infinita_completo.pdfIn PDF document text
    • https://b5c4f4dd-ae1f-4f6a-908c-f463551224e4.filesusr.com/ugd/dafd60_586ed3c66cbc4edbbc244cb61a7e1fdb.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/baf6c84d-8864-4959-8450-545675aa97a8/99_dewalt_drill_at_lowes.pdfIn PDF document text
    • https://931f52e6-cb68-4a93-8e02-54808d33f8b6.filesusr.com/ugd/6290de_6a1f14f08d854a1a8ffd8a6e13227d0a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/07913e7e-cdda-4f06-89b5-e157d9598bf3/24052173079.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010993.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10993 4984 bytes
SHA-256: 862b488ef1dc3067e1d355f2cfae2780b6c66b64eca8d8782381f38417ed47ed
font_01_sfnt_off00011a6f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11A6F 11220 bytes
SHA-256: 984926040a4f3d6c9c9fab761168f7c9dbdb70c6a2f36c4838c0e49119d7dd0a
font_02_sfnt_off000140cb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x140CB 16312 bytes
SHA-256: aad9bc0f36eadc3314e08670b59090120051e308b357201f134af3d0b781b2b0
font_03_sfnt_off00015657.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15657 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3