Malicious PDF — malware analysis report

Static analysis result for SHA-256 916eed535c79607a…

MALICIOUS

PDF

84.1 KB Created: 2021-04-13 19:43:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e7f5c7639e38e9a33eea38cd8af1e87d SHA-1: d2802d51662385b891cbcce31df52e133704c48a SHA-256: 916eed535c79607a8d24729d7db675a4a4269652b75593ece7a2f68fa095cbfe
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains numerous embedded URLs, many of which point to disposable domains and are likely part of a link farm designed to redirect users to malicious content. The document body, though heavily obfuscated, appears to be a lure related to search queries, aiming to trick users into clicking these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=how+do+i+find+my+walmart+sku+number
    • http://hayatevesigar.online/kitchenaid_superba_oven_error_codesovmn4.pdf
    • http://webdefilmizle.com/tamipokerimojujuvedmutt.pdf
    • http://lifeit.pro/ruvavitasofupeb2e4s5.pdf
    • https://cdn-cms.f-static.net/uploads/4404984/normal_606e292fd06e6.pdf
    • http://uscreditreport2021.info/sketchup_pro_free_download_macub2dy.pdf
    • https://cdn-cms.f-static.net/uploads/4451542/normal_60348b294f378.pdf
    • http://firstflirts.site/problemas_ambientales_en_mexicop4voz.pdf
    • http://afracheat2.xyz/vexaduxufetozuf7bqx.pdf
    • http://remontnatali.ru/save_the_earth_t_shirt_liza_koshy37ebu.pdf
    • http://copyrightshelpscenters.com/regikumao70.pdf
    • http://notojubemeduxan.iblogger.org/veterinary_anatomy_coloring_book_free.pdf
    • https://cdn-cms.f-static.net/uploads/4367275/normal_5fe821ee01a11.pdf
    • http://agentsecure.space/chokher_bali_book_in_bengalitashj.pdf
    • https://cdn-cms.f-static.net/uploads/4427095/normal_60663e1c4c494.pdf
    • https://static.s123-cdn-static.com/uploads/4401692/normal_5ff7933c58635.pdf
    • http://tesodip.iblogger.org/how_to_connect_brother_printer_to_scan_to_computer.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kemexulirejaror.rf.gd/xelogemazoxagutexadadud.pdf
    • http://rurasikawasup.epizy.com/balanced_scorecard_performance_measurement.pdf
    • https://42190e62-4dca-482d-a077-ae7b222d7779.filesusr.com/ugd/b91392_2e9c45a5469647c4bc77f43d0aa6839b.pdf?index=true
    • https://eaa62ee9-779c-4a2d-9f50-6c66b019a99c.filesusr.com/ugd/1cc777_0a9b13b39c6946e991b1b5d049265293.pdf?index=true
    • http://zilomit.epizy.com/viavi_directory_listing_html_template_nulled.pdf
    • https://696f1bd8-06c3-47a7-a8f7-e83e17ec8d18.filesusr.com/ugd/5ad03d_e9405f0899c94b02ad107f255a787055.pdf?index=true
    • http://bopoxisi.rf.gd/remington_model_700_adl_vs_sps.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010a3a.bin
351873638b7098986111d792dcffe2d3efe88d9cee6143881fe6576e954e1254		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A3A 5412 bytes
font_01_sfnt_off00011c9a.bin
5de0b006f22b0939b0454d7127488d0b83b8673d125210b1117e331c93e67fe9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C9A 11204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.