Malicious PDF — malware analysis report

Static analysis result for SHA-256 99ed42859b5b7740…

MALICIOUS

PDF

95.7 KB Created: 2021-09-16 00:16:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-02
MD5: 7ee0d501fea3e4b324e93cb2fc40ebc5 SHA-1: 02fa6ae2d77156e9e72606e311cb9e3238da562d SHA-256: 99ed42859b5b7740d27f055341b1ca711bb5e6eed5ec5b46e15b671622966b50
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV and exhibits characteristics of a link farm, with numerous embedded URLs pointing to potentially malicious or phishing sites. The PDF structure and the presence of embedded URLs suggest an attempt to lure users to external resources, likely for further exploitation or credential harvesting. No scripts were extracted, but the overall pattern indicates a phishing or malware distribution vector.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2938

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/uplcv?utm_term=i+want+to+play+a+drawing+game PDF link annotation
    • https://www.akilciilacdernegi.com/ckfinder/userfiles/files/49449392535.pdfIn PDF document text
    • http://yongchengtech.com/uploads/files/202109121053449918.pdfIn PDF document text
    • http://satcomlink.com/userData/board/file/memotupuzedaweruso.pdfIn PDF document text
    • https://a-metal.e-giant.net/archive/file/files/17722247174.pdfIn PDF document text
    • https://alansglobalservices.com/ckfinder/userfiles/files/44121578425.pdfIn PDF document text
    • http://awfiowv.love-mrt.com/upload/files/bazosefafunimiza.pdfIn PDF document text
    • http://siltherm.com/ckfinder/userfiles/files/jajirizureruf.pdfIn PDF document text
    • http://vrakskodamnetice.cz/file/maxoxagegemaf.pdfIn PDF document text
    • https://adtw1.com/ckfinder/userfiles/files/51179981602.pdfIn PDF document text
    • https://imapcb.org/wp-content/plugins/super-forms/uploads/php/files/549e4710d98437fd56f727b4af2c7ca3/xisafa.pdfIn PDF document text
    • http://crestviewshopping.abwingsmd.com/uploads/files/pikuxopanawotizifexufafox.pdfIn PDF document text
    • https://alperbehang.nl/userfiles/file/29764606882.pdfIn PDF document text
    • http://seowonbattery.com/files/fckeditor/file/81303170761363329d9b99.pdfIn PDF document text
    • http://isleford.com/filespath/files/20210909045135.pdfIn PDF document text
    • http://hyeminshop.com/DATA/files/75643236897.pdfIn PDF document text
    • https://rotterdampools.com/contents/files/zesasu.pdfIn PDF document text
    • https://mccartha-cobb.com/userfiles/files/69143064880.pdfIn PDF document text
    • https://calienglish.com/ckfinder/images_store/files/30375702765.pdfIn PDF document text
    • https://suksesunited.com/contents/files/musanopigunizazil.pdfIn PDF document text
    • http://beckydavidsonhomes.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614261c92f5ee---66730068759.pdfIn PDF document text
    • http://burragebrothers.org/demo/jolie/beta/userfiles/files/95464693617.pdfIn PDF document text
    • https://drjou-vc.com/upload/files/gibeseviwizejeki.pdfIn PDF document text
    • http://beming.com/ressource/site-image/files/16747031010.pdfIn PDF document text
    • http://theaterbuehne-schwandorf.de/userfiles/file/tisavu.pdfIn PDF document text
    • https://bimstudioinc.com/media/files/kanikexejexodoxob.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012a63.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12A63 10716 bytes
SHA-256: da3bef414712e67e750ea414eea56713d79399c8821c08a483e947b0f1bf744b
font_01_sfnt_off000142c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x142C9 18772 bytes
SHA-256: 968f558aad72320990856852a2c0e79ddcd57d3dddea903aaf87be07bff02d14