Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5caed6d7ec13935…

MALICIOUS

PDF

96.7 KB Created: 2021-03-19 16:34:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: 0063630d1b78751621e6169a3948816b SHA-1: 42bce4d5bc7cbd70345dc3c25a8ffa129794c980 SHA-256: a5caed6d7ec13935dfca7da20fb17e87f678e7fa3c2073b922c9e841fc76c821
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple critical heuristics as malicious, including ClamAV and an ML classifier. It contains a large number of embedded links, many pointing to disposable hosting, and one specific URL is identified as a known malicious redirector. The document body, though heavily obfuscated, appears to be a lure related to product parts, suggesting a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/aws?utm_term=grohe+ladylux+plus+33+759+parts In PDF document text
    • https://cdn-cms.f-static.net/uploads/4449170/normal_5fdbc2887afec.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4425501/normal_6026638d27bc4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416316/normal_600d70a338e07.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451363/normal_600f06e40bb8e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379363/normal_600a740151def.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4443803/normal_603674413fe88.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386347/normal_60433666a2bba.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://d23eb412-52e1-45ef-a32a-0c032022daee.filesusr.com/ugd/03485a_22386c59fa1143d2a1ee1d9dce17fb8f.pdf?index=trueIn PDF document text
    • https://36535336-4f9e-4c0a-b1ad-3385cb5d4299.filesusr.com/ugd/15ebe2_50672d1be3bb4760babee79a48912b9e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/7fca4226-12a0-49d6-bab5-bcbe9bf0fe99/nogizivazogo.pdfIn PDF document text
    • https://64e18f06-8a0e-4dc1-8427-9dd81b4bff36.filesusr.com/ugd/baa514_3909b2d2fe3641e2b29355c3ce558bd4.pdf?index=trueIn PDF document text
    • https://dc6b22d1-fd3c-476a-b8f1-b0505981f591.filesusr.com/ugd/ab5adf_2ef4f30997ec473ab578b1219de2ef66.pdf?index=trueIn PDF document text
    • https://4a0f17ac-6ce6-4c05-9546-25c48d39d9f7.filesusr.com/ugd/cd79e3_ed30709512ce46f9823aef505b844c0a.pdf?index=trueIn PDF document text
    • https://6d706a39-1f93-4f1a-9423-caccf7e65e71.filesusr.com/ugd/69f91f_2f1bf597297b4bd8814fd94a2e34072f.pdf?index=trueIn PDF document text
    • https://1237a3da-0b33-4890-9ba9-974507bf2590.filesusr.com/ugd/3e0cb9_8bdce6f57f134c25a196a9c4f6ac5ebc.pdf?index=trueIn PDF document text
    • https://dcc20dec-0195-4543-b617-cfb82efd15f0.filesusr.com/ugd/30ea26_ed5fa027ae2240a899b1eb18a364cdb2.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/fa0dadd6-7766-4a28-a80f-29ff80c2655a/char_broil_big_easy_turkey_injection_recipe.pdfIn PDF document text
    • https://cf075d60-af7c-4c71-a16c-5c8c125a9bb7.filesusr.com/ugd/cc03df_78b3a9aa4fe14e22bb11edb7a899ae82.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/47d3295f-d2f7-4e35-b80e-14e649ef0f9e/what_causes_bank_1_and_2_to_run_lean.pdfIn PDF document text
    • https://297de083-771a-4730-a3b8-a2afe8c7d209.filesusr.com/ugd/47424f_d59b59104f7c4f39b029b0870073a7c1.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/b4cb5592-5d5c-420e-bd96-03a882ca7630/mesa_boogie_dual_rectifier_roadster_head.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/66a2240f-fd3f-4750-aaba-3f9c38e44592/26121076901.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/20af43f4-d795-466b-9a42-a1799214c6d4/power_pressure_cooker_xl_vegetable_soup_recipes.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000135aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x135AA 5772 bytes
SHA-256: 29b6753ced0ab0aa7f70687acd13e6f2f4ff29d5e819b4f2615e832b498ccec7
font_01_sfnt_off0001495d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1495D 12864 bytes
SHA-256: 5bf07c31a5ecb65c13ed71fe5dbe66acad88db00466663828f22e0f8a7d35ff1

Open this report in the interactive analyzer, or submit your own file for analysis.