Malicious PDF — malware analysis report

Static analysis result for SHA-256 8fd9b05c6653cc22…

MALICIOUS

PDF

64.0 KB Created: 2021-02-27 04:47:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: fd82383ddfbb0c0c0a33b4bfde239e48 SHA-1: 8ccb767360ca3bd38e8d52dcd386a09733aed1bf SHA-256: 8fd9b05c6653cc2225593a0b98c5b2fb3222666e82673951807cf7dbdba75090
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to disposable hosting or domains commonly associated with phishing and malware distribution. The heuristic 'PDF_SEO_LINK_FARM' indicates a deliberate attempt to create a link farm, likely for SEO manipulation or to host malicious redirects. The ML classifier and ClamAV detection strongly suggest malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8307

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=certified+associate+project+management+salary PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4424997/normal_5fd64ef0df741.pdfIn PDF document text
    • https://cdn.sqhk.co/fujigugi/eVgiicw/jetedatojufolebunoso.pdfIn PDF document text
    • http://rgtuitp.ru/cissp_cbk_reference_fifth_editionyk3l2.pdfIn PDF document text
    • http://mmeueue.space/pajivedelasaka0ekd2.pdfIn PDF document text
    • http://czecheducation.space/sobuwamozgmn.pdfIn PDF document text
    • http://devumixik.iblogger.org/76284151763.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385213/normal_602042d2396d4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385213/normal_603149ab26840.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373527/normal_5fe6aefc26dc6.pdfIn PDF document text
    • http://mandarins.space/53805488672awb6l.pdfIn PDF document text
    • https://cdn.sqhk.co/nexetifosam/heieCcw/66507942731.pdfIn PDF document text
    • https://ragikigoludu.weebly.com/uploads/1/3/4/8/134849848/184491c50e222.pdfIn PDF document text
    • http://mandarin-fruit.space/loner_meaning_in_malayalams4bg6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://dumudolaba.epizy.com/kavogajojajaxaxivajot.pdfIn PDF document text
    • http://nuxesidedojo.epizy.com/free_powerpoint_templates_animations_and_clipart.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE4D6 5556 bytes
SHA-256: aad942ca970555dfb7bcc8591873065db016a19817330199b80ca52c5562590d