Malicious PDF — malware analysis report

Static analysis result for SHA-256 b25890f494061a77…

MALICIOUS

PDF

117.1 KB Created: 2021-03-14 19:57:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: 76a9dcdd61ffd085085ab88421cd7aab SHA-1: 4fc4433a242be3a87acd884d29b44efbc11bd41a SHA-256: b25890f494061a77a3500cfe9aa6dd11f3814225d1a8d749082b38839fa3cb33
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous embedded URLs pointing to disposable domains, indicating a link farm designed to distribute traffic or host malicious content. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs and a link farm heuristic further supports this assessment. While no scripts were extracted, the document's structure and URL distribution suggest it's part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=town+of+boonton+ordinances PDF link annotation
    • http://topsalon.xyz/wewutovesarelezosihohtj.pdfIn PDF document text
    • http://wilidelefuguki.22web.org/home_economics_leaving_cert_journal_template.pdfIn PDF document text
    • http://zopokujejisolan.getenjoyment.net/dometic_refrigerator_ac_heating_element.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388427/normal_5fd76f1d866e7.pdfIn PDF document text
    • http://retys.space/46788711552h24zp.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378853/normal_5fd895c5bbdcd.pdfIn PDF document text
    • http://artelamp.store/gudovijesowikawob5ddz8.pdfIn PDF document text
    • https://zesadokalefon.weebly.com/uploads/1/3/2/6/132681767/lupewibojoju-pemuti.pdfIn PDF document text
    • https://mamunazeve.weebly.com/uploads/1/3/0/8/130814121/xozinasibekefe_bopokaro_bafefufes_mimemeje.pdfIn PDF document text
    • http://vozuzutiwajuzip.getenjoyment.net/19353990409.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4418180/normal_6027d9df1ebe8.pdfIn PDF document text
    • http://lemumelubijene.iblogger.org/xarib.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381291/normal_5fd2a15537e0b.pdfIn PDF document text
    • http://lowufadit.scienceontheweb.net/kanawha_county_schools_wv_pay_scale.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417815/normal_604c9b144a78d.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://luzeparuzibez.rf.gd/were_the_star_wars_books_first.pdfIn PDF document text
    • https://9e084d23-5bbf-42ad-98e9-fa9200f8584e.filesusr.com/ugd/4f663b_9df11ae84c63435f913226f0118c7aeb.pdf?index=trueIn PDF document text
    • https://92923600-264c-4cb8-9d87-181083d4f0d6.filesusr.com/ugd/0bf43f_623fa14d3f404badaa336dcea06233a8.pdf?index=trueIn PDF document text
    • http://vorisenunajix.myartsonline.com/86417287116.pdfIn PDF document text
    • https://08202b68-adf4-4b7d-bb06-fcebe54c78b8.filesusr.com/ugd/76dd3d_3128e3ba08da4c3cb63ddd7f0f114796.pdf?index=trueIn PDF document text
    • https://e6b56e3c-1b88-4cfb-972d-ab1702b0a06e.filesusr.com/ugd/8c0e65_040a1608e96b462eb3e3f4e3ad5fc409.pdf?index=trueIn PDF document text
    • http://xuxerutiwuv.onlinewebshop.net/methods_and_channels_of_communication.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00018a5c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18A5C 5164 bytes
SHA-256: b866e309abad74f83433c0991909d9b8416c44dfc1ed249226bbc50ca66f3af2
font_01_sfnt_off00019c0a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19C0A 11968 bytes
SHA-256: 35651996b89afd8a4b371d6f7d45c263a03297490dbf483bdc969a717b19195a

Open this report in the interactive analyzer, or submit your own file for analysis.