Malicious PDF — malware analysis report

Static analysis result for SHA-256 b664696c6b0073d7…

MALICIOUS

PDF

59.9 KB Created: 2021-04-16 02:49:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 477313b49686ba71308e2743f8d16387 SHA-1: c276e564355da8ed47ed8c7819870c446a45b729 SHA-256: b664696c6b0073d75f6ade9b9f1be976b038eebd995403b8e962d24fb5354307
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The embedded URLs and the PDF structure indicate a link farm designed to redirect users to potentially malicious content, consistent with phishing attempts. While no scripts were explicitly extracted, the PDF's nature and the presence of numerous external links suggest it's part of a phishing campaign, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9868

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ambrose.edu/sites/default/files/webform/82598578892.pdf
    • http://russian-ice-spb.ru/sites/default/files/webform/files/97818084314.pdf
    • https://www.dgs-interparts.be/sites/default/files/64751185730.pdf
    • https://www.dgs-interparts.be/sites/default/files/muvok.pdf
    • http://seiary.com/sites/default/files/webform/rec/55418097166.pdf
    • https://www.blplegal.com/sites/default/files/webform/25596831819.pdf
    • https://www.telluridescience.org/sites/default/files/tstc-applications/pagasumoxozodaxatukaliwus.pdf
    • http://cicatsalud.com/html/sites/default/files/webform/28693943460.pdf
    • https://www.uts.cw/sites/default/files/webform/47116150145.pdf
    • http://www.guninetwork.org/system/files/webform/heirri_proposals/35039450578.pdf
    • https://grossenbacher.co.nz/en/system/files/avoidance-training-certificates/13178745316.pdf
    • https://www.a1touchsolution.nl/sites/default/files/larigujumikanezazezogiwi.pdf
    • http://portal-mysigma.com/system/files/student-proof/72808970040.pdf
    • https://www.natsihwa.org.au/sites/default/files/webform/tuwagamutavuvefofufeniz.pdf
    • https://ambrose.edu/sites/default/files/webform/26147793628.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/6naE_Nh8_CY/uplcv?utm_term=is+animal+crossing+the+best+game+ever
    • https://campusrec.princeton.edu/system/files/webform/luzatebinibaxopititum.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d8da.bin
98e5b3922f6b2ac3d3000e28d741a6cf126bb0617f4c0541a228c682033da85b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD8DA 5352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.