Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8e239a5cb7f55b6…

MALICIOUS

PDF

113.5 KB Created: 2021-04-11 08:56:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: bdce75ec0c861465badbd2a33991b175 SHA-1: aee218d6217ba0b1898a41f73f28af51636c71d4 SHA-256: b8e239a5cb7f55b63a9fa23606856bed7ce397a2374ba5a48ed8ead80abb4b04
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. It contains numerous external URIs, with a primary focus on a link farm hosted on disposable domains, suggesting a phishing or scam attempt. The document body, though heavily obfuscated, appears to be a lure related to search terms, directing users to a malicious URL. No scripts were extracted, but the PDF structure itself facilitates the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9503

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=stand+off+meaning+in+hindi PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4451753/normal_5ff56c29f2fb1.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4386605/normal_5ff15cfb00571.pdfIn PDF document text
    • http://rating-bookmaker.ru/zujumizebawastffm.pdfIn PDF document text
    • http://kernig.pro/the_art_of_racing_in_the_rain_netflixps7zt.pdfIn PDF document text
    • http://xaraxag.mypressonline.com/estadistica_descriptiva_que_es.pdfIn PDF document text
    • http://wulixiv.sportsontheweb.net/kinabifemotidu.pdfIn PDF document text
    • http://megantv.site/how_old_mila_kunis_that_70s_showr2hr5.pdfIn PDF document text
    • http://waverufusufafuv.scienceontheweb.net/aadhar_card_application_form_download_kannada.pdfIn PDF document text
    • https://cdn.sqhk.co/tajudozizif/hibibH4/galaxy_invaders_alien_shooter_online.pdfIn PDF document text
    • http://evromotors.net/blink_by_malcolm_gladwell_quotesddl36.pdfIn PDF document text
    • http://lnstagramverificationbadge.com/raveriwekikor82tc8.pdfIn PDF document text
    • https://cdn.sqhk.co/zajikeze/wja0jeb/formal_letter_to_state_representative.pdfIn PDF document text
    • http://fukuzowi.sportsontheweb.net/what_is_par_value_quizlet.pdfIn PDF document text
    • http://jadaribod.mygamesonline.org/three_column_cash_book_format.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4422627/normal_606bd2e85677d.pdfIn PDF document text
    • https://cdn.sqhk.co/vagewovupug/hjhLjgO/best_weather_apps_for_android_home_screen.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://s3.amazonaws.com/bopuxosavubare/55135908985.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/631ef286-21b8-4e7f-be94-4097d24ded93/p90_simple_kitchen_nutrition_guide_download.pdfIn PDF document text
    • https://s3.amazonaws.com/lixuzo/52800346920.pdfIn PDF document text
    • https://s3.amazonaws.com/nuvukivaxiren/kakukakojuxafasijasipav.pdfIn PDF document text
    • https://s3.amazonaws.com/firudegix/change_my_mind_about_hinge_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/807ecd95-ea8d-43cc-97c2-c1885301c017/how_to_fight_climate_change_as_a_student.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d9822b02-f6bc-488c-8797-df26224c7156/valevotita.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off000186fe.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x186FE 18456 bytes
SHA-256: 875caf7eac28b9de44799f1d2493e211f9315164a185ba4e30cd9284c7686d4c
font_00_sfnt_off0000f49b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF49B 5684 bytes
SHA-256: d9df6945b54372b4ce1b038b385752c5e534dd56f39eb70cfae60a2504a527db
font_01_sfnt_off00010877.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10877 5120 bytes
SHA-256: 3734d34b8db673f755bab8dee801af4e9b354b7eea7861cf561bc5f90a57e83a
font_02_sfnt_off000119c0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x119C0 2656 bytes
SHA-256: dbaab8dcf32bfe64cb008f34eb54f5316f62236e8dffe3de49b44225404383a5
font_03_sfnt_off000124c4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x124C4 2328 bytes
SHA-256: 864cbe2c6973b44d2b71e19ffbffb2328dcb3759b07ceb43c11d5a372fc4956d
font_04_sfnt_off00012f7a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12F7A 2108 bytes
SHA-256: d117309382da938f7dffedc42f90dd4217b4d540d75629b80669d975ecbc171e
font_05_sfnt_off00013945.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13945 6640 bytes
SHA-256: 538512be6c526ea957b587fa229624d829dca4873b622d187784a60d2c877fcd
font_06_sfnt_off00014adb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14ADB 1724 bytes
SHA-256: f83e6de3691ad52a85b4b046ce3648991255f336d0397087d3cee8e58848d230
font_07_sfnt_off00015379.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15379 16960 bytes
SHA-256: eff88a85f7dec9630529c93b51330e3f5afee9cffee43bbc3374471566566009
font_09_sfnt_off0001a4b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A4B7 4168 bytes
SHA-256: b69db7e17f8a94232f4628bdb8d459271bb6d86e924e2c19a246c99aac49cf78

Open this report in the interactive analyzer, or submit your own file for analysis.