Malicious PDF — malware analysis report

Static analysis result for SHA-256 91ad187caf746633…

MALICIOUS

PDF

73.2 KB Created: 2021-03-21 21:39:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: 37626f1bfe3c70377b193d87f1b0b5aa SHA-1: 4781d4c7a730b5c602abdc5cbcd6be8a168662c6 SHA-256: 91ad187caf746633fe9eef107ec5a7a6839b2dde8fba34d1bf53f7cb2e5aa6be
254 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded links, with at least one identified as a malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and the ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, suggests a lure related to loan guidelines, which is a common tactic for phishing or malware delivery. The presence of numerous links, including a 'link farm', further supports the idea of a distribution or phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=conventional+loan+3+down+guidelines In PDF document text
    • https://cdn-cms.f-static.net/uploads/4465270/normal_6032df76d0029.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4467273/normal_5fdd47d96f1b2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412591/normal_6042d8660855e.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://zijanoxudajami.epizy.com/counter_strike_warzone_free.pdfIn PDF document text
    • https://s3.amazonaws.com/mudurixo/60771054579.pdfIn PDF document text
    • https://a97cc435-ef8e-4ffb-8544-4b9c0bda5a6e.filesusr.com/ugd/7ab440_80f99e243a3c4dea9ec066da10bc6330.pdf?index=trueIn PDF document text
    • https://75cc4b12-69da-4024-8422-75f9303faa99.filesusr.com/ugd/d6c222_f19d33775f444114bd5da57c5202f23f.pdf?index=trueIn PDF document text
    • http://toxabose.epizy.com/rar_password_recovery.pdfIn PDF document text
    • https://s3.amazonaws.com/xujitezu/venom_fight_stick_template.pdfIn PDF document text
    • https://s3.amazonaws.com/gavexilatuvitaz/bookmark_template_size.pdfIn PDF document text
    • http://dopisudul.epizy.com/b._com_1st_year_question_paper_2020.pdfIn PDF document text
    • https://s3.amazonaws.com/pesetufavo/86694270509.pdfIn PDF document text
    • https://s3.amazonaws.com/vuxirefare/alabama_college_football_injury_report.pdfIn PDF document text
    • https://b20aee1f-b1b7-4e4e-be5e-d884e4ece670.filesusr.com/ugd/10e3af_3828743d53884778baa9fb7cd7a84743.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/zuvovoxigumuz/dedication_template_dissertation.pdfIn PDF document text
    • https://2b08c346-38d8-4763-b559-bb9d4fff2313.filesusr.com/ugd/40c9d6_e759a348050b410aae55b0f73973c2e5.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/xarojapi/fimatukubige.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e1d8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE1D8 5116 bytes
SHA-256: d021cc2a934b125d2d3cd9961ac2c6e6dd8646823eed359d85b9c9f42b674747
font_01_sfnt_off0000f36a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF36A 11008 bytes
SHA-256: 4a3936892a8b2fb366e4ca756b6542536933960e0ea4bbde397725fb958298b8

Open this report in the interactive analyzer, or submit your own file for analysis.