Malicious PDF — malware analysis report

Static analysis result for SHA-256 a91c093c7a807ac0…

MALICIOUS

PDF

91.5 KB Created: 2021-04-01 13:16:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: d452f0e720bab27814b3d42d36c3e755 SHA-1: 8dfdf0fa9367beba5ad9401ad2269561cf07db34 SHA-256: a91c093c7a807ac062699033162cc9c46bae0041270a5c7f452fe470c20c0a70
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains multiple embedded URLs and is flagged by heuristics as a link farm on disposable hosting, indicating a malicious intent to redirect users. The ML classifier and ClamAV detection strongly suggest this PDF is malicious, likely a phishing lure or a distribution point for further malware. No scripts were extracted, but the presence of numerous external links points to an attempt to drive traffic to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8431

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=cours+anglais+facile+gratuit+pdf PDF link annotation
    • http://segaruzobuguses.scienceontheweb.net/24343039147.pdfIn PDF document text
    • https://cdn.sqhk.co/jivonaxadu/fQ2hiig/59899632417.pdfIn PDF document text
    • https://cdn.sqhk.co/pixorikibam/jeFgje2/arrowood_golf_course_restaurant.pdfIn PDF document text
    • http://warixedivukinat.mygamesonline.org/zifirebuga.pdfIn PDF document text
    • http://mivegik.mygamesonline.org/promissory_note_in_telugu_words.pdfIn PDF document text
    • https://cdn.sqhk.co/rawerusiwala/NidX39e/divinity_original_sin_2_starting_classes_guide.pdfIn PDF document text
    • https://cdn.sqhk.co/xamowizaso/Aujfgg0/80339085709.pdfIn PDF document text
    • http://leledup.mypressonline.com/21429967879.pdfIn PDF document text
    • https://cdn.sqhk.co/loganidob/QgiShhc/swingman_vs_authentic_sizing.pdfIn PDF document text
    • https://sadejakudabad.weebly.com/uploads/1/3/5/9/135965210/42cf9e42178a.pdfIn PDF document text
    • https://gimipozadifan.weebly.com/uploads/1/3/1/3/131380487/6980c.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/wetowuzuxit/simple_business_plan_outline_template.pdfIn PDF document text
    • https://s3.amazonaws.com/zarelusipofox/wazekunejegi.pdfIn PDF document text
    • https://eadb47d6-6712-4ecd-aa5a-2cdcf2d90b86.filesusr.com/ugd/c844bf_5793a7056cca4634a32858df826f0301.pdf?index=trueIn PDF document text
    • https://ef90beaa-bca2-431e-862c-49c19dd94618.filesusr.com/ugd/06497e_10805c74907c423c84efdab404cbb831.pdf?index=trueIn PDF document text
    • http://zepizevut.atwebpages.com/tenacious_d_tribute_tab.pdfIn PDF document text
    • https://s3.amazonaws.com/wuxupewu/how_to_set_relion_blood_pressure_monitor.pdfIn PDF document text
    • https://425e2ee7-996f-4c6d-a593-b44a2a39b733.filesusr.com/ugd/bb05c1_d5011f8bd7fb41c1b6e0bcdff92db6f5.pdf?index=trueIn PDF document text
    • https://1c2b20db-dbe1-4299-b4c0-f67d595d3b6c.filesusr.com/ugd/e71423_c9d25c75e38247dfbf22b6af721bff09.pdf?index=trueIn PDF document text
    • https://6ddb26ad-aa8e-4a3e-a925-5cef6fc035e1.filesusr.com/ugd/d3d820_5871dedccc90471e8916c187c907eca5.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001198b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1198B 2972 bytes
SHA-256: 6a961835775f2f04c4cbbc389e7595e82960d78c1828a3f7c48734963ed5ebd9
font_01_sfnt_off0001240e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1240E 5228 bytes
SHA-256: f4fafab6a4ca8c20f73d8ac28596b3e6b16b8a3d3c6d35d0fea0f2a1a571982e
font_02_sfnt_off000135e6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x135E6 14416 bytes
SHA-256: 428e13830dd5f366f5b4a72fbb1924d2c570c3ad58e6f7fcab29094dd580deb4