Malicious PDF — malware analysis report

Static analysis result for SHA-256 a466e69c41588058…

MALICIOUS

PDF

83.3 KB Created: 2021-04-07 22:06:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d8016b0ab847f2ba2a8b90329cbe87c SHA-1: de53ee2fe320093d24c74316a2b18cb805b9ab9b SHA-256: a466e69c4158805805d734bbb8218f986c3c96d14b2f0c9dcb9e058e02e493a8
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded URLs, with one identified as a known malicious redirector. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, appears to be a lure to direct users to external, potentially malicious, websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/strik?utm_term=what+time+period+is+after+the+renaissance
    • http://vaxiliwu.medianewsonline.com/5674371753.pdf
    • http://zorigan.22web.org/psychological_facts_about_human_emotions.pdf
    • https://cdn.sqhk.co/jixasamo/lhjThjF/pro_pinball_big_race_usa_free_download.pdf
    • http://rubulutusalev.22web.org/developed_economy.pdf
    • http://nozumupi.medianewsonline.com/7096886165.pdf
    • https://cdn.sqhk.co/nisisepolo/heOo2jh/44183710822.pdf
    • http://tejovotemikodes.getenjoyment.net/kokukaf.pdf
    • https://cdn.sqhk.co/zesonixiv/jiieyVg/gunshot_noise_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://jopinewo.epizy.com/bailey_and_love_surgery_27th_edition_download_free.pdf
    • https://uploads.strikinglycdn.com/files/1f4f7efb-c17b-4e6c-a521-3014406165e3/44108958083.pdf
    • http://bumerezuwo.epizy.com/fabric_dryer_sheets_and_bed_bugs.pdf
    • https://78a3f932-2eca-4366-91b9-d52a2f3c5f58.filesusr.com/ugd/a586f9_463bc5ef7b4c41a8a48939e0dff45323.pdf?index=true
    • http://luxupovokajaf.onlinewebshop.net/budismo_japones.pdf
    • http://dinoxisajuz.rf.gd/68229577316.pdf
    • https://uploads.strikinglycdn.com/files/bf8b9f3d-44e5-4640-a32c-dd22f3dad845/telefono_panasonic_kx-t7633_manual.pdf
    • https://6200e599-3f2f-4e3e-ab45-e6977ed7e777.filesusr.com/ugd/f8de3e_845278f8ec1943a99494bb095fc5babf.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ab1c0e25-71c2-4b03-90fb-e680ffa56a6b/66224513864.pdf
    • https://972af30b-04c2-4618-b911-83ba0b7fef9e.filesusr.com/ugd/84a5c6_f2562ea5521c4b4d811887ba4b831941.pdf?index=true
    • https://3d7304b5-8527-495f-b913-615d6f357a43.filesusr.com/ugd/ef7486_16eb1ffe109f41509fdb0b44fe346be8.pdf?index=true
    • https://c064424b-11a8-4e39-a524-24a74bcd733d.filesusr.com/ugd/54e393_5aa563f40be24f12be8c3026fbe5cd96.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f2b56d17-ecf0-4732-9946-1c9d45154d53/v_for_vendetta_comic_synopsis.pdf
    • https://uploads.strikinglycdn.com/files/6199a95d-39ed-4019-9984-f8073f8c35ae/38931357641.pdf
    • https://101c3d73-5e22-4da1-a203-a3a2a794ce88.filesusr.com/ugd/69a512_7a298623592a4658a428ea41a0e72732.pdf?index=true
    • https://67acb2b6-3e42-4063-a073-371cb527a15d.filesusr.com/ugd/a81d48_47a05c2230c541538e1efdc9a0376f10.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd49.bin
68d094faf81d2ea9f62e68ee4e789e40b6192f27e323b9e50c58fbaa8f881837		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD49 2900 bytes
font_01_sfnt_off0001078c.bin
290c464c7bf7d579097aed7ac253401af4851dbe7804cb1fe9de18467d625f09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1078C 5376 bytes
font_02_sfnt_off000119b3.bin
99893d3974256d019534c918b90f2810e922ca248873e05c7c89ae8e1a0b3c8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119B3 11084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.