Malicious PDF — malware analysis report

Static analysis result for SHA-256 939c3ac2d0b5d871…

MALICIOUS

PDF

77.9 KB Created: 2021-09-23 18:10:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 950da43db696a202c10cb09f36dd6970 SHA-1: 3cfa4192dfc526c887c65d1c837ffed1cf75677b SHA-256: 939c3ac2d0b5d871b551db9352bb4665897faebe310e158801c8c4f5d9e7ccbb
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains numerous embedded URLs, many of which point to potentially malicious domains, suggesting it functions as a link farm or a lure for phishing or malware downloads. The presence of PDF-specific heuristics like 'PDF_SEO_DISPOSABLE_LINK_FARM' further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pierreseche.fr/userfiles/file/bipetorevikolu.pdf
    • http://globalroomplus.com/bot/ckfinder/uf/files/465745999.pdf
    • http://kryotherapie.net/neu/userfiles/file/ninujokusoz.pdf
    • https://vietnaminsight.biz/ckfinder/userfiles/files/76216499648.pdf
    • http://mps-india.com/userfiles/files/49468223034.pdf
    • http://thesnowmanicecream.com/ckfinder/userfiles/files/16358127863.pdf
    • https://www.totalblissbeauty.com.au/application/third_party/ckfinder/userfiles/files/jopatoleminuxatoli.pdf
    • http://dexgerm.com/data/file/userfiles/files/suveriw.pdf
    • http://kurier48.pl/files/userfiles/file/nuvurivodedegubotokujiluz.pdf
    • https://thuhuonglacquer.com/uploads/news_file/34395210778.pdf
    • http://www.garriagricola.com/wp-content/plugins/formcraft/file-upload/server/content/files/16144a99f76bd4---jejaduxunuwelimap.pdf
    • https://bevillelecomte.ovh/ckfinder/userfiles/files/46683242297.pdf
    • http://limuzine.md/userfiles/file/67050442748.pdf
    • http://www.salpasafarit.fi/tiedostot/files/zokipufofekokubobovux.pdf
    • http://www.emporiocaritaspisa.it/wordpress/wp-content/plugins/formcraft/file-upload/server/content/files/161357cac96206---54702076826.pdf
    • https://volgogradexpo.ru/ckfinder/userfiles/files/12859908267.pdf
    • http://hmconcretemixingplant.ru/d/files/fefiwizagagarawekogadisa.pdf
    • https://ecef-groupe.com/wp-content/plugins/super-forms/uploads/php/files/tl31m7ocro00ivquf03orosbi5/86978046048.pdf
    • https://neksav.com/upload/ckfinder/files/dorumu.pdf
    • http://daegyung.kr/userfiles/file/20210910010510.pdf
    • https://aeternoplanning.com/ckfinder/userfiles/files/29688485937.pdf
    • http://lactopad.com/uploads/files/23250067426.pdf
    • https://bem-sa.com/img/file/31707563876.pdf
    • https://floraplant.gr/FCKeditor/userimages/file/vefanadevakunuwije.pdf
    • http://bawaconstructions.com/editorData/file/93404354761.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/1xuhb7AK25c/uplcv?utm_term=how+to+check+download+history+on+play+store
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cde7.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCDE7 16792 bytes
font_01_sfnt_off0000e5f9.bin
234323c4c8f9caac85d47c3f7ce1f3ea427c5d08aae7c16193eab506bb4b1271		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5F9 16412 bytes
font_02_sfnt_off0001100f.bin
faaff202b03a4bb77db6b2fba9b873002395e63cda85f1003b0c1212c553d31e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1100F 10892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.