Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad63aeb4add09eec…

MALICIOUS

PDF

96.6 KB Created: 2021-03-25 08:53:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-17
MD5: f3c3a072c824204cd0938ae4831232cf SHA-1: dd3eaea300f35f1380fe9274cb6e639e88cac5ad SHA-256: ad63aeb4add09eec2e1062f6fc9a2d8dc26e8c3449ed0565afe6b605c496e481
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for linking to known malicious redirector infrastructure, specifically pointing to 'https://crophysi.ru/award?keyword=platelmintos+exercicios+pdf'. The ML classifier also flagged this PDF with a high probability of being malicious. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'Platelmintos exercicios pdf'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8669

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=platelmintos+exercicios+pdf In PDF document text
    • http://dakisemakegag.sportsontheweb.net/padenegor.pdfIn PDF document text
    • http://fakixigulidol.mywebcommunity.org/75607700852.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4405459/normal_6004403981ca2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481841/normal_60394b9f6816e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4412388/normal_5feb5e9f7729e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4480581/normal_601865496ae6b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384299/normal_605a808e1038f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4424376/normal_601f1cf359759.pdfIn PDF document text
    • http://koxelovanalimu.getenjoyment.net/ceclor_bula_comprimido.pdfIn PDF document text
    • http://fodelogutejamit.getenjoyment.net/biblia_reina_valera_gomez_2020.pdfIn PDF document text
    • http://dipenoguzel.sportsontheweb.net/can_i_put_epsom_salt_in_my_humidifier.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/d3b4f5e6-2e38-4747-9d22-f26605ceb22c/insinkerator_badger_500_not_working.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d519de3b-7c03-4c89-8751-874ff47e13d5/american_history_textbook_high_school.pdfIn PDF document text
    • http://dakafatuvuguviz.atwebpages.com/sagowevijokosokunidi.pdfIn PDF document text
    • https://bf68d742-fb98-404a-ab47-1dcf24f7df52.filesusr.com/ugd/83e7fd_e26a29f25a8b423191c9cc52929c04b3.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/d631ecb5-2140-46d9-92ea-b8c2b374fa50/star_trek_the_next_generation_movies.pdfIn PDF document text
    • https://d5fd0048-bb8d-45a1-ba21-28d1cb0b7162.filesusr.com/ugd/5e8de6_c7be1148d4b14a3e8a8039e879591b92.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/f201c6c6-6200-4aba-8847-f3e00867fe89/burger_king_impossible_whopper.pdfIn PDF document text
    • https://75ca6b5e-a470-4e0e-8004-b00a9f1721b4.filesusr.com/ugd/1e4819_ab380626ab5f48b19c1ae41a07a1a92f.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012a0a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12A0A 5160 bytes
SHA-256: 534a5d87953bbbbcf279bc2f0f525724b382d85f0db0492f9ac170ae6eb88038
font_01_sfnt_off00013b77.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13B77 13264 bytes
SHA-256: f3d8c2b3262508c89749064ac4dd2846fd7a59f12f36393145eab32b0cb5158f
font_02_sfnt_off000163aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x163AA 16204 bytes
SHA-256: 532315dfdc59b350d447ad91845dd8cc72a836e684f536ab9a4305dc5b53fb8e
font_03_sfnt_off000178da.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x178DA 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c

Open this report in the interactive analyzer, or submit your own file for analysis.