Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f0435f7fee7da4a…

MALICIOUS

PDF

81.0 KB Created: 2021-04-16 23:51:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 60c204516b299bb8035118375ac023a2 SHA-1: bf15d56b3d8cc3a25d77913f3402c8a0e5cb8bdf SHA-256: 8f0435f7fee7da4a701668d2dfdf2a0ae2620dcd953835c2f22c3566a62cda11
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, with several pointing to disposable domains and link farms, indicating a phishing or spamming operation. Heuristics like 'PDF_SEO_DISPOSABLE_LINK_FARM' and 'ML_NYX_PDF_MALICIOUS' strongly suggest malicious intent. The presence of external URIs and the ClamAV detection as 'Pdf.Phishing.Trojan' further support this assessment, pointing towards a spearphishing attachment attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=bodyweight+workout+circuit+reddit
    • http://sbrf.link/personal_information_sheets_for_studentsr08s9.pdf
    • https://static.s123-cdn-static.com/uploads/4391013/normal_5fefd2d6627cc.pdf
    • http://good-production17.site/a_list_of_adverb_clause_wordsmwr21.pdf
    • https://cdn-cms.f-static.net/uploads/4368770/normal_60243bb0e56e4.pdf
    • http://nexofozupugasi.mywebcommunity.org/elementary_algebra_problems.pdf
    • http://thedouche.xyz/workkeys_test_scores_onlinevwppg.pdf
    • http://giwapozolaleg.mypressonline.com/zuwenatonogesupezip.pdf
    • http://difozoxezepi.getenjoyment.net/small_panchatantra_stories_in_kannada_writing.pdf
    • https://cdn-cms.f-static.net/uploads/4385427/normal_5fdbe1e0a4fdb.pdf
    • http://talemine.getenjoyment.net/surefesusibavu.pdf
    • https://cdn-cms.f-static.net/uploads/4381751/normal_604cbff50a7b9.pdf
    • http://fionainthefield.org/industrial_lawn_mower_hire_near_me7oopu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d090be1b-80c8-4909-bcfd-bee063b23284/96369216919.pdf
    • https://39ad70c8-6a03-4de2-a89b-b0209cba5754.filesusr.com/ugd/d2759c_81eb00138f834438b128935f0d6b37a3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e301ab66-642c-4ae7-9b50-f34d0c6e347c/41012174785.pdf
    • http://zininorenedalo.onlinewebshop.net/uses_of_alkenes.pdf
    • https://uploads.strikinglycdn.com/files/6e6a8195-9a9d-46aa-87b3-10ce34a75a62/gegejirexafuzanubisumetew.pdf
    • https://88966db1-4a83-4446-b941-f65022a6235f.filesusr.com/ugd/928e0f_531fb79cb1f9421195a8332321b5753e.pdf?index=true
    • https://f74ea38a-ab8d-49a0-8d31-9a1d7ce64423.filesusr.com/ugd/5ceade_c114ff08dcf94dc0a75b69fa92914be6.pdf?index=true
    • http://fojakosi.atwebpages.com/dark_souls_2_best_dex_weapon_pve.pdf
    • https://uploads.strikinglycdn.com/files/5e84aebf-602c-413f-8bf4-4be232aabe0f/97703715862.pdf
    • http://firiwigisu.atwebpages.com/biboputofedawabirikapo.pdf
    • http://saluwagasa.onlinewebshop.net/pm_awas_yojana_gramin_form.pdf
    • https://6c892e0d-5736-4b4a-96a3-cd490fd1fe3d.filesusr.com/ugd/1407cd_4008188d2a244a99a77905fbebb583b4.pdf?index=true
    • https://76f5a3e5-08d8-4581-9975-6c1b933a1845.filesusr.com/ugd/dbbd16_bd1bd8d85ef74b8baec24e6aceebd8d8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fadd.bin
52df81a0e2b0755bbf97014363b207781aaf29a4e6e8e35e94c8678d8dcedaa3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFADD 5088 bytes
font_01_sfnt_off00010c45.bin
1a8c29e68adc11e2aa6268aa0200acb7459c3c86d0e2cd96ed1700b8190a1871		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C45 12328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.