Malicious PDF — malware analysis report

Static analysis result for SHA-256 99ff0a564921e934…

MALICIOUS

PDF

78.8 KB Created: 2021-04-01 05:46:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72a035c02734ba809e3daf7aa1f22dfa SHA-1: bb9eb5b1cc7c687f3ed1545381f1040d8bfb242d SHA-256: 99ff0a564921e9349a2af38c3ab8436b74c2fd2642f42cd5ee4d34d5de0a4b43
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier indicating maliciousness. The embedded URL, 'https://midufefew.ru/aws?utm_term=better+business+bureau+york+pa+phone+number', is presented in a way that mimics a search result, suggesting a phishing or redirection attempt. The PDF structure itself is identified as a link farm on disposable hosting, further supporting a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/aws?utm_term=better+business+bureau+york+pa+phone+number
    • https://cdn-cms.f-static.net/uploads/4449192/normal_5fd38dd5dcde5.pdf
    • https://cdn.sqhk.co/fagaxirupunu/eUBFbhg/55387884050.pdf
    • https://cdn.sqhk.co/vulovosovem/Ojegehd/trap_drum_pad_guru_apk.pdf
    • https://cdn.sqhk.co/zinoliwomi/hRpKAvV/50395041191.pdf
    • https://cdn.sqhk.co/mimizajig/Yiidxhh/torevipiwa.pdf
    • https://cdn-cms.f-static.net/uploads/4481406/normal_60513ee13fb78.pdf
    • https://cdn.sqhk.co/goduwonon/gihgFz3/jixedomejumi.pdf
    • https://cdn-cms.f-static.net/uploads/4461766/normal_6064f6dc824b3.pdf
    • https://cdn-cms.f-static.net/uploads/4501777/normal_605f911504f7f.pdf
    • https://static.s123-cdn-static.com/uploads/4378161/normal_5feb4edc8f1ad.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dipagepe.atwebpages.com/astro_a20_mic_not_working_xbox_one.pdf
    • https://357b8bef-7330-4cfe-b31d-389db25c4d5a.filesusr.com/ugd/4c76bf_fd8e88fd59c546e1b62701bbe40d48fe.pdf?index=true
    • http://povasapodojika.epizy.com/gems_of_war_trophy_guide.pdf
    • https://uploads.strikinglycdn.com/files/e284034a-eee8-45d0-beda-2f7150862456/premier_protein_cereal_review.pdf
    • https://uploads.strikinglycdn.com/files/057b22f8-d505-4dc6-a58b-076299382f78/pabogitiligezobugifajesip.pdf
    • https://ebcfae26-b4e4-4f1a-a5b2-c5bdbddc1bdf.filesusr.com/ugd/259f90_1336749c3159463da9cf6fe4475e1fa8.pdf?index=true
    • https://0b609444-e5a2-4a7e-9779-a3c6bae51a53.filesusr.com/ugd/529dbf_81d4f79b875843af9df882bdfdc701f5.pdf?index=true
    • http://vugikalijuboxo.epizy.com/24660331065.pdf
    • https://uploads.strikinglycdn.com/files/1f2d723c-e662-40ea-b631-9dd203b9de8b/ge_potscrubber_640_dishwasher_manual.pdf
    • http://puzuzebud.epizy.com/84535251163.pdf
    • http://nabafutig.myartsonline.com/dutajadikudanelu.pdf
    • https://uploads.strikinglycdn.com/files/8f7674cb-f6fb-4846-8bcf-5d54ba9f24bd/ariel_by_sylvia_plath_meaning.pdf
    • http://povusesa.rf.gd/85314213887.pdf
    • https://1b6fe947-be7e-4494-9a94-f566f178d3d1.filesusr.com/ugd/89064d_a5ec584523274f528b726127d583ecb0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c2fa89f7-c5eb-417a-8390-fcdb8517a283/factory_reset_apple_airport_express_a1264.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f635.bin
d02a1c1436683784d4cd99ae62706970797197795c624f5423e77f565aa922df		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF635 5380 bytes
font_01_sfnt_off00010862.bin
9d41ded8863aac8d00a8a82577aff7a6f2c9aa2201abe1fed87490bbd0968d28		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10862 10852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.