Malicious PDF — malware analysis report

Static analysis result for SHA-256 a811fbd78d25993a…

MALICIOUS

PDF

152.0 KB Created: 2021-05-31 07:56:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 753ba6cd9c21e679f77d5e7402a628bc SHA-1: 7c3861d7184b7977c6f4f27c78d31623be0dd0e9 SHA-256: a811fbd78d25993a6ddf27fadff472ef3ea49baf2b045eae4489a2835a13b685
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains numerous embedded URLs, many pointing to link farms on disposable hosting, suggesting an attempt to redirect users to malicious sites. The document body, though heavily obfuscated, appears to be a lure related to device setup, aligning with phishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9282

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=how+to+set+date+and+time+on+sharp+el-1801v PDF link annotation
    • https://penalimabupata.weebly.com/uploads/1/3/4/7/134700578/mivisi-limivomatebixew-janasateza-bavimobisezaxib.pdfIn PDF document text
    • https://static.s123-cdn-static-d.com/uploads/4415326/normal_60b4169befc42.pdfIn PDF document text
    • https://remejatezikame.weebly.com/uploads/1/3/1/0/131070309/5802590.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409621/normal_605f9b13c6018.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4478932/normal_605dca3ab5033.pdfIn PDF document text
    • https://luvemolovod.weebly.com/uploads/1/3/4/3/134305721/loloxak_xawijejusar_davavunun.pdfIn PDF document text
    • https://rojimabilaraxum.weebly.com/uploads/1/3/5/3/135314729/1974722.pdfIn PDF document text
    • https://medivurufif.weebly.com/uploads/1/3/1/4/131407406/wupaxemipunagu.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448984/normal_5fe8426c31277.pdfIn PDF document text
    • https://pifilapife.weebly.com/uploads/1/3/4/3/134376120/4606255.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4480895/normal_606c20a14801b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4420610/normal_5fff5b2c883fd.pdfIn PDF document text
    • https://jixawapideraje.weebly.com/uploads/1/3/3/9/133997308/4415583.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416791/normal_601e42485434a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4474470/normal_5fce70556585d.pdfIn PDF document text
    • https://zigaxedalinuj.weebly.com/uploads/1/3/4/0/134016671/80b2078f.pdfIn PDF document text
    • https://mepagalupotope.weebly.com/uploads/1/3/4/2/134265457/1f98c.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/cc27eed3-8c88-403a-83f4-4f56ada90084/how_to_deposit_stimulus_check_chase_bank.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/169f18e3-f8df-4f93-a0c8-57b84111e68d/age_of_empires_no_cd_crack_1.0c.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/357449a0-ed05-415f-ab54-dca09faa927c/35468202934.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/12bb321f-b3c7-4d1c-9181-2e313fa2e021/tuzalezavejedubuze.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/31371ca2-60a7-4eea-b1fa-a013dcd71aba/utilitech_1-hp_shallow_well_jet_pump_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9cbcf4c8-7265-497e-a01e-1d5e6a9c1ace/puvexevomonobe.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001afbf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1AFBF 6632 bytes
SHA-256: c18c2d4326bc3b8f587f80a0afbee8f44fe63cfa91f5c718dffe729cdb486b8f
font_01_sfnt_off0001c021.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C021 3852 bytes
SHA-256: 8581af0a7c243619c55b84af4f8ab838395da9531905d2a1d9613989c5b35d60
font_02_sfnt_off0001cd9a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1CD9A 5732 bytes
SHA-256: 6cf3865866703f95c7da6074d8a9e52719da46c5dc715cdb21701a4757a2235d
font_03_sfnt_off0001e10b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E10B 10908 bytes
SHA-256: eb70a12dddea901a1692901187fb8d6ac56ef46f1e7c0d5048fcda6de44ace99
font_04_sfnt_off000203ee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x203EE 13776 bytes
SHA-256: 7b38c983ada7fc162d3d1059868c448a36d7fd55d1b68e6879f607d6a1d49560
font_05_sfnt_off00023067.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23067 16408 bytes
SHA-256: ce8a20b7519cd566ecb17afb8d04134d1713f37dc3e4fde0caa675fc70d58935
font_06_sfnt_off0002466c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2466C 1736 bytes
SHA-256: 5095ccdfdd328c3f25b1766e9c65bca58fa839170fcb9f3db3c20e130d955aff

Open this report in the interactive analyzer, or submit your own file for analysis.