Malicious PDF — malware analysis report

Static analysis result for SHA-256 b79af04ef5ba473a…

MALICIOUS

PDF

125.6 KB Created: 2021-04-16 19:24:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dddfe55b032128b914bef119a9464014 SHA-1: cc82a980e92d52097c75898d6b947c8d96bcf7c0 SHA-256: b79af04ef5ba473af8a7b464dcafa4f64e4f43d05e05a9044d7c1d478667c2f8
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, many of which point to domains that appear to be hosting PDF files. The 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristic indicates a large number of links on disposable hosting, suggesting a link farm or phishing infrastructure. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or distributing further malware. Although no scripts were explicitly extracted, the structure and URL patterns are consistent with malicious PDFs designed to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8246

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://europa-ts.ru/sites/default/files/webform/sujeludepotunebimetoravij.pdf
    • https://ambrose.edu/sites/default/files/webform/58588935603.pdf
    • https://ambrose.edu/sites/default/files/webform/rebunedirewe.pdf
    • http://seiary.com/sites/default/files/webform/rec/jizexatunurometubukos.pdf
    • http://portal-mysigma.com/system/files/student-proof/wofofokarawivuboniju.pdf
    • http://cicatsalud.com/html/sites/default/files/webform/61943826361.pdf
    • https://www.enwidth.com/sites/default/files/webform/resumes/zozagosetimof.pdf
    • https://www.osgeurope.com/sites/osg-corporate.dev/files/webform/28911573484.pdf
    • https://www.jwico.com/sites/default/files/webform/pagijan.pdf
    • https://ambrose.edu/sites/default/files/webform/zateguzafafidefezibexe.pdf
    • https://www.a1touchsolution.nl/sites/default/files/95216779236.pdf
    • http://www.opentle.org
    • http://fedorahosted.org/lohit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102Hussain
    • http://smc.org.inhttp://smc.org.in
    • http://www.daltonmaag.com/
    • http://www.indictrans.org
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1xuhb7AK25c/uplcv?utm_term=d%2526d+online+tabletop
    • https://lib.asu.edu/system/files/webform/delibenapu.pdf
    • https://www.vub.be/sites/vub/files/webform/pagilavamuvawasaxega.pdf
    • https://lib.asu.edu/system/files/webform/61431168480.pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL
    • https://gitlab.com/smc/meera/blob/master/COPYING
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html
    • http://www.gnu.org/licenses/lgpl.htmlRegularDanhHong
    • http://www.geocities.com/dnhhng
    • http://scripts.sil.org

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off0001705c.bin
9564b241302e158315f08a0b9c21d36b3ff3c44ac475cc585310e34d7b103d38		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1705C 19380 bytes
font_00_sfnt_off0000dcf0.bin
149738eb3e1d0bfb4a5732e89a115965e6f0cf3fc4971c694d3ce3619176544d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDCF0 6148 bytes
font_01_sfnt_off0000ecd0.bin
f0a2204899d1e3318a6bd81c872bf71f9687a1eb2abd97e43f363b8beb464341		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECD0 3612 bytes
font_02_sfnt_off0000fae6.bin
30e7a1045175c6da0ec4f27d0a97e34a441cdffbab0165baf42dc55640aebb22		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAE6 17636 bytes
font_03_sfnt_off00012c9b.bin
6d180028f71bbfcf2b8105938643ee3a2a1c409b0c980e92ec88398b70d34608		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C9B 3484 bytes
font_04_sfnt_off00013806.bin
0e4b190990c22158f359a0de2485c61736e93a484cfb226f63bccb9bc1da1b2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13806 2604 bytes
font_05_sfnt_off00014315.bin
2f58f42410b60611991c12283e964e03297a95500ca09b14f4d605296bc50bc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14315 3048 bytes
font_06_sfnt_off00014f22.bin
dbaab8dcf32bfe64cb008f34eb54f5316f62236e8dffe3de49b44225404383a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14F22 2656 bytes
font_07_sfnt_off000159fb.bin
ee2530f169c748cd60c895f7ba5165278924119268fafb828b8506f09863a3e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x159FB 6484 bytes
font_09_sfnt_off0001918e.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1918E 4324 bytes
font_10_sfnt_off00019f94.bin
7073f777ec002e82a856420936458262fa3cc3b4ee0437ed56f01fa51c4379d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19F94 4140 bytes
font_11_sfnt_off0001ac85.bin
5b8e8035f8940535bfb5f3d78de7d5c45dbc51c905faa5d9788b8fc152e96872		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AC85 3840 bytes
font_12_sfnt_off0001ba98.bin
53570b1addc227c644bcbe5fafcce3e1ca8a5779b7722260ef5244079f464722		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BA98 4544 bytes
font_13_sfnt_off0001c8a6.bin
d117309382da938f7dffedc42f90dd4217b4d540d75629b80669d975ecbc171e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C8A6 2108 bytes
font_14_sfnt_off0001d284.bin
87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D284 4336 bytes
font_15_sfnt_off0001e02e.bin
cf1f64e2e40b673e905a7144f0f78914353b51ead6a82b3d8aeaa2f16fa670a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E02E 4216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.