Malicious PDF — malware analysis report

Static analysis result for SHA-256 a67a64512e246985…

MALICIOUS

PDF

64.0 KB Created: 2021-04-22 01:46:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: ab4e554e4e091a31faab821747b73ade SHA-1: 1a2cae138cbddf7e068269ad7753fa3f53fd13e3 SHA-256: a67a64512e246985b358f5447ca8a9f6f98d912f5d5f23575354a1eeda47f07f
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded links, many of which point to suspicious or unknown domains, suggesting a link farm or phishing attempt. The document body, though heavily obfuscated, contains metadata indicating it was generated by wkhtmltopdf, a tool often used to create malicious PDFs. The presence of ClamAV detection and ML flagging further supports its malicious nature, likely as a phishing lure or a downloader for further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9487

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=toto+wall+hung+toilet+installation+manual PDF link annotation
    • http://autoupgrade.website/breath_of_the_wild_recipesbi9rn.pdfIn PDF document text
    • http://leadtop.co/92963814917rnxh7.pdfIn PDF document text
    • http://paypallsecurity.com/emergency_survival_kit_list3tojx.pdfIn PDF document text
    • http://onesmall.space/dvdfab_10_cracka9gb3.pdfIn PDF document text
    • http://about-central.com/75313527200lulb7.pdfIn PDF document text
    • http://hookup666.site/background_hd_wallpapers_for_whatsappugcw7.pdfIn PDF document text
    • http://biomaniks.website/ragukivisudulafun4syb.pdfIn PDF document text
    • http://clubstore.pro/avent_steriliser_bag_instructionsxcdqr.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://ca7c05ed-d233-4774-9cf9-08ff86aa6c73.filesusr.com/ugd/b42fd6_8500eb6b4a7a46ff918d3525c1122d58.pdf?index=trueIn PDF document text
    • https://50037ee0-0691-4a53-bdc2-b2f8f795cfa6.filesusr.com/ugd/b41a9a_4c71f02e1e9e427f8028f29ccd01b772.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/f7fbae43-4e12-45cb-bff8-01edcb768e29/ziterilifew.pdfIn PDF document text
    • https://cc67bef4-e22e-42fd-bf01-3f02b15f800b.filesusr.com/ugd/080020_e2c6cd4951a84b589b3c8ddf38acc3e2.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/1758866a-5de4-4d2d-a54b-e746f1c206b9/jusebogakive.pdfIn PDF document text
    • https://6e37e838-c278-4d46-baa9-25b8497af200.filesusr.com/ugd/fbcb80_0865b8f136684a00800a8bdfae764bba.pdf?index=trueIn PDF document text
    • https://0d555108-1732-4721-8d72-76d747b2053a.filesusr.com/ugd/1b0481_230507171adf497080307cfd26de53fb.pdf?index=trueIn PDF document text
    • https://6acf0ca1-aa41-4771-8b91-54baff69ee7f.filesusr.com/ugd/7d1dc9_375abcb5703649648c0054f0acf8d2fa.pdf?index=trueIn PDF document text
    • https://c7972686-9310-4d97-8ac3-15e828887225.filesusr.com/ugd/8a419d_7ad624f41b9948c780e25afdb50ea54a.pdf?index=trueIn PDF document text
    • https://28ed73df-463f-41d7-bc87-4635118fd8e0.filesusr.com/ugd/74acc8_7090df23d2954c7bb93d20ebe87680fb.pdf?index=trueIn PDF document text
    • https://d5fd0048-bb8d-45a1-ba21-28d1cb0b7162.filesusr.com/ugd/5e8de6_c4c12ce9ddae4dd099ce9215ed65ccd4.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/dc477f9a-2f99-41dc-8bb1-fd837e01840d/why_is_antigone_so_important.pdfIn PDF document text
    • https://ff4d9611-e7ea-45f2-85d3-f0b464ef817f.filesusr.com/ugd/48f461_099425e7251a4e6293c6a05a3aa45317.pdf?index=trueIn PDF document text
    • https://74269c25-1731-4359-90d4-804f54ef9c1c.filesusr.com/ugd/b5973a_f235bfc186f04a51824c0f51d664357b.pdf?index=trueIn PDF document text
    • https://01dc7cc6-b8ed-446e-8cc8-1ad78882ed38.filesusr.com/ugd/e23fbb_fdb3237e221b41219ff18f65e4ee29e4.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/57155029-0240-4e72-8597-0d9c038cad63/25348617542.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d600.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD600 4928 bytes
SHA-256: b637bf20746026bf8eb158c3abea6b2e09da82e79f1329ebb0f570d9dd10b686