Malicious PDF — malware analysis report

Static analysis result for SHA-256 89fe0df12342fbc1…

MALICIOUS

PDF

93.8 KB Created: 2021-03-10 21:28:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f2d2091865063075bcbaf86a5ee4aa62 SHA-1: 2fb40ae8a0f3b2a678d1a863aca1ff64220654da SHA-256: 89fe0df12342fbc149f96208e8af17041d09cfdccdca4549b2f69cab96c0d23b
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs and is flagged as a link farm on disposable hosting, suggesting a phishing or malware distribution attempt. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely instructs the user to download a password-protected archive, a common tactic to evade gateway scanning. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/123?utm_term=extra+deep+fitted+sheet+only
    • https://funofumid.weebly.com/uploads/1/3/4/8/134886651/80f0608d08.pdf
    • https://woxazalaxit.weebly.com/uploads/1/3/4/2/134235403/fbda69.pdf
    • https://kelobutino.weebly.com/uploads/1/3/0/9/130969458/sokij-vesekotodar-zovutafamo-rajefekap.pdf
    • https://cdn.sqhk.co/zifiguwosu/jihbvhb/gedinakuxilapa.pdf
    • https://static.s123-cdn-static.com/uploads/4476135/normal_6003ea538f55c.pdf
    • https://static.s123-cdn-static.com/uploads/4481423/normal_600017609aec2.pdf
    • https://static.s123-cdn-static.com/uploads/4474722/normal_5ffd489bc0636.pdf
    • https://cdn-cms.f-static.net/uploads/4449614/normal_5fd66735b2200.pdf
    • https://worojuwoxalo.weebly.com/uploads/1/3/0/8/130814432/034f85.pdf
    • https://cdn-cms.f-static.net/uploads/4489032/normal_6014c0b039848.pdf
    • https://cdn-cms.f-static.net/uploads/4428054/normal_602d302ac7460.pdf
    • https://cdn.sqhk.co/vitimosugu/gd4wHja/17105843814.pdf
    • https://cdn.sqhk.co/texonatuzi/NYYoHha/battlelands_royale_ios_hack.pdf
    • https://cdn.sqhk.co/rureroso/hgchQjd/auto_parts_usa_used.pdf
    • https://xarudaxukisa.weebly.com/uploads/1/3/4/0/134018653/ec1c8df4.pdf
    • https://cdn.sqhk.co/liminekaj/gjbMfiK/sweet_fruit_candy_mod_apk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/pizivurapab/43683354676.pdf
    • https://s3.amazonaws.com/dudujopixejikug/76798299660.pdf
    • https://uploads.strikinglycdn.com/files/eae0744d-72e6-4c4a-8f5a-bec13dcfa770/motorola_mc40_walmart_admin_password.pdf
    • https://uploads.strikinglycdn.com/files/79035ef3-cd91-4db2-84c9-ad6b0d4271da/69744557562.pdf
    • https://uploads.strikinglycdn.com/files/b1985c4a-2b8f-476f-b35a-24aee78f23b6/xuzowogawapejol.pdf
    • https://uploads.strikinglycdn.com/files/10f577f0-c427-41fb-bbf4-935de471a731/how_to_blend_colored_pencils_with_water.pdf
    • https://s3.amazonaws.com/dazovosugev/annexure_h_form_for_indian_passport.pdf
    • https://uploads.strikinglycdn.com/files/f36f0c62-fd7d-44c4-8078-f582fdc53ec7/sudevoxevizija.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012357.bin
4528b0688ebb4c904668f929dbdea5948d21f6de410b19c65d61e0a87ec2385d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12357 5044 bytes
font_01_sfnt_off0001347e.bin
7b014600baf1ddb13c8cd0cf90d750351f9f29d416f53625ca9d20aae2de63da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1347E 11468 bytes
font_02_sfnt_off00015b6d.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15B6D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.