Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3ce8451258e40c6…

MALICIOUS

PDF

81.8 KB Created: 2021-03-17 04:33:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 822c7a51227ae804f126f6938ee8316a SHA-1: 89115a3c5fff1ca3ed4d81728b0983e562dcd412 SHA-256: b3ce8451258e40c67490a4cdadd1228b3e927a051e99cfcb18a3d12ec68ddb73
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains multiple high-severity heuristics indicating suspicious and malicious links, including one that is algorithmically generated and another that is invisible. The ML classifier also flagged the PDF as malicious. The presence of these indicators suggests the document is designed to redirect users to potentially harmful websites, likely for phishing or to download further malicious content. No scripts were extracted, but the PDF structure and embedded URLs point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6575

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/award?keyword=borrowing+powers+of+a+company+pdf
    • https://cdn-cms.f-static.net/uploads/4463286/normal_5fe8783d5d2a2.pdf
    • http://verifiedbadge-lnstagram.com/juluvubesixenoxisujizefk4gr.pdf
    • https://static.s123-cdn-static.com/uploads/4457847/normal_5fce924db2b78.pdf
    • https://cdn.sqhk.co/jotenitix/lIyib42/gather_gators_8_bits_arcade_retro_games.pdf
    • http://topsale.pro/498341209023ch7g.pdf
    • http://firstreadersclub.com/107474446887g7pw.pdf
    • http://rabota-plus.club/lol_patch_10.23_release_date_philippinesa4bi0.pdf
    • http://loginwithfb.site/honda_maintenance_codes_a120g21o.pdf
    • https://static.s123-cdn-static.com/uploads/4492245/normal_60049499591da.pdf
    • https://static.s123-cdn-static.com/uploads/4478716/normal_5ff220ad6d217.pdf
    • http://bodyita.space/desh_bhakti_geet_marathixromq.pdf
    • https://cdn.sqhk.co/jokalirubore/hD5a4jc/23916439031.pdf
    • http://rebelliona.online/gexuwedagaxexuniponexiwwkp16.pdf
    • http://bestpriceforukraine.xyz/wezevekegufamawabojaxegulasbhn.pdf
    • https://cdn-cms.f-static.net/uploads/4378175/normal_6015c54037c9e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6ba28ca9-c565-4dc6-9592-93f1ff1e68bd/continuidad_de_los_parques_preguntas_quizlet.pdf
    • https://f3874c2d-c116-49c2-b7b6-9300dc8fc43e.filesusr.com/ugd/b11f6d_514f3e89a6e6401cbedcb26cbf0bd2c5.pdf?index=true
    • https://24451074-f53b-4065-993c-779ba3957988.filesusr.com/ugd/0ae25f_c9936330848642fc95a56fa0693a885c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/28d9d6ad-163d-4c58-a1e5-566c0fab024a/eliphas_levi_english.pdf
    • https://7ec9ed57-df89-401a-953b-45744c150cee.filesusr.com/ugd/6e3131_efd747ef920a4c4f9f576b831a8652e7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/46047fbe-41b5-4e91-946d-63e2ebf0789c/fewapaseguzesapadixakamu.pdf
    • https://uploads.strikinglycdn.com/files/bc054c5a-ae3b-4365-a4be-4269d8977845/22770928009.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ff61.bin
fa8408c754ab9e5710bb122bf0ee130d743713fe83c5ee16f0962342add1cdb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF61 5684 bytes
font_01_sfnt_off000112cc.bin
ea2b37c34650591118a21717899f9a5c0a74a85e04395ee6e459f2a38652203a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112CC 11024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.