Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e847d4bb586f48e…

MALICIOUS

PDF

55.3 KB Created: 2021-09-26 03:08:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: 7c514ffffbfe4965beba702330c24cc4 SHA-1: f419f4f646df6843f80d1f5d51c48f7d779f72a0 SHA-256: 9e847d4bb586f48efbbaacc602337d68fdd45d78098326813e2f84f07e71bd68
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and a machine learning classifier, exhibiting characteristics of a phishing lure. It contains embedded JavaScript and multiple external URIs, including one that redirects via a 'utm_term' parameter, suggesting an attempt to download a second-stage payload or redirect the user to a phishing site. The heuristic 'PDF_IMAGE_LURE' indicates the document is designed to appear as an image, hiding a clickable action to launch or submit to an attacker-controlled URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8138

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 55 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=we+have+never+been+modern+pdf PDF link annotation
    • http://barrarioservicos.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1613de015877f5---30489387195.pdfIn PDF document text
    • http://likebarcode.com/image/files/20210920_135018.pdfIn PDF document text
    • http://westhollywood.ilovepokebar.com/uploads/files/42646585893.pdfIn PDF document text
    • http://duoctruongxuan.vn/userfiles/image/file/josogef.pdfIn PDF document text
    • http://dellalontra.it/userfiles/files/jotejoko.pdfIn PDF document text
    • http://lagostena.it/userfiles/files/vepuvu.pdfIn PDF document text
    • http://aajude.pt/backoffice/ckfinder/userfiles/files/14485180655.pdfIn PDF document text
    • http://qlionshousing.ca/userfiles/file/femorokaziguwaresare.pdfIn PDF document text
    • http://law885995.com/upload/fckimages/file/kenipib.pdfIn PDF document text
    • http://www.taimaobi.com/admin/ckfinder/userfiles/files/nemefinosileje.pdfIn PDF document text
    • http://leaders-adv.net/userfiles/file/wovifedorewijabemasufajid.pdfIn PDF document text
    • https://stancijanegrin.com/UserFiles/files/38681154211.pdfIn PDF document text
    • http://hakanhurdacilik.com/userfiles/file/lipizit.pdfIn PDF document text
    • http://collectifff.be/imgdb/accueil/files/62692717834.pdfIn PDF document text
    • http://laxycoffee.com/upload/files/25142001519.pdfIn PDF document text
    • http://evergreendentistryva.com/app/webroot/js/ckfinder/userfiles/files/vulime.pdfIn PDF document text
    • http://www.sparkprototypes.com/wp-content/plugins/formcraft/file-upload/server/content/files/161410ee8e8dc3---losugir.pdfIn PDF document text
    • http://dichvutot99.com/webroot/img/files/nigiwesovifura.pdfIn PDF document text
    • http://luxlustry.ru/img/upload/34230251054.pdfIn PDF document text
    • https://swift-tw.com/lcc/upload/files/rapubesid.pdfIn PDF document text
    • https://stef-nancy.fr/upload/document/91349872943.pdfIn PDF document text
    • https://lockerova.eu/admin/upload/documents/sivewisosafu.pdfIn PDF document text
    • https://0900107678.com/upload/file/92120210037.pdfIn PDF document text
    • https://kaxtongroup.com/home5/maxconne/public_html/kaxtongroup/assets/images/newspostimages/files/34558471592.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000af34.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAF34 13876 bytes
SHA-256: 9cd6fea7e13f7db5013ebda009cb830d594fd843cfb17580ec7e6243a6254fb3