Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ee5f3967e2c1d53…

MALICIOUS

PDF

85.2 KB Created: 2021-02-24 17:59:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-29
MD5: 00766d9caa92cc6983957e04d6360120 SHA-1: 347d75f2d371954ca766901930105d10dcb455b2 SHA-256: 8ee5f3967e2c1d5348c24899d3672fd76968b16d69fe65f0e0462e8c803c86bc
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged by multiple heuristics as malicious, including a critical alert for linking to known malicious redirector infrastructure. The document contains a large number of embedded URLs, many pointing to disposable domains or link farms, suggesting a phishing or scam attempt. While no scripts were explicitly extracted, the PDF structure and the nature of the URLs indicate a likely attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/123?utm_term=holy+blood+holy+grail+lawsuit In PDF document text
    • https://tenubufaz.weebly.com/uploads/1/3/1/1/131164261/dovorupuwad.pdfIn PDF document text
    • https://wivixape.weebly.com/uploads/1/3/4/8/134897282/guniserapa_welunivuve_rumijufopike_xogimawiwira.pdfIn PDF document text
    • https://muxetomanudone.weebly.com/uploads/1/3/1/4/131406273/ff94fe1c7889d1.pdfIn PDF document text
    • http://lnstagram-blue-ticks.com/magic_chef_mini_fridge_temperature_adjustmento1v7h.pdfIn PDF document text
    • http://jinokonur.22web.org/85084032143.pdfIn PDF document text
    • http://konufij.22web.org/714010545.pdfIn PDF document text
    • http://kismyketio.com/ikea_malm_3_drawer_dresser_whitecyuaq.pdfIn PDF document text
    • http://nevepojikita.22web.org/12796580119.pdfIn PDF document text
    • https://bedaxeribijone.weebly.com/uploads/1/3/2/8/132814155/pezifojezuwofural.pdfIn PDF document text
    • http://nakrutkavk.site/cleaning_keurig_k_cup_coffee_maker8wbwu.pdfIn PDF document text
    • http://kawojoxakinit.22web.org/55867109748.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://vetarobafawuk.epizy.com/pofasifasarevudegos.pdfIn PDF document text
    • https://s3.amazonaws.com/pukaridimupo/aggiornamento_ccleaner_italiano_piriform.pdfIn PDF document text
    • http://lokuvutifinulef.rf.gd/86271944834.pdfIn PDF document text
    • http://sinodigewenewe.rf.gd/97261180344.pdfIn PDF document text
    • http://lizaduguxo.epizy.com/teluxunu.pdfIn PDF document text
    • https://s3.amazonaws.com/xozeb/the_boogeyman_game_free.pdfIn PDF document text
    • https://s3.amazonaws.com/bivanud/investec_bursary_application_form_2020.pdfIn PDF document text
    • https://s3.amazonaws.com/lovomijelun/reformation_day_coloring_sheets.pdfIn PDF document text
    • http://rerununox.rf.gd/miraculous_ladybug_episode_guide_season_3.pdfIn PDF document text
    • http://xewenofos.epizy.com/71611140702.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011059.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11059 5384 bytes
SHA-256: 56894bf2c5d04f9c1fcf9d9259180808f7b2df9322e81703b8bbbbffc706bf3f
font_01_sfnt_off000122af.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x122AF 10848 bytes
SHA-256: be93a640bc2e5f6b28101c1027bbed82a8f76ed2933e1947308713e3c1e24167