Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2577bcec68580e1…

MALICIOUS

PDF

62.7 KB Created: 2021-03-18 09:47:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: a3a691a6c0628b91f71e3bc051c32384 SHA-1: 9f4dd438bc14a69f40d6e603d3e028823eac86fd SHA-256: c2577bcec68580e1f8bfe935c5b7da6b7769105af0eb123f4868dad94450f989
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable domains, suggesting a link farm used for SEO manipulation or to redirect users to malicious sites. The presence of embedded URLs and the overall structure strongly suggest this PDF is part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8358

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=what+is+c3+c4+and+cam+plants PDF link annotation
    • http://alexandreablog.com/dezabominizabetexenusesizdfnb3.pdfIn PDF document text
    • http://beviluxenumiliv.mywebcommunity.org/vizio_m65-c1_wont_turn_on.pdfIn PDF document text
    • https://nobaloledajasom.weebly.com/uploads/1/3/2/6/132681012/9028482.pdfIn PDF document text
    • http://azalea.store/32472154746giyjq.pdfIn PDF document text
    • http://interbankdigital.com/6820788617473q35.pdfIn PDF document text
    • https://gurugurib.weebly.com/uploads/1/3/1/3/131384113/de00dd3f8eb.pdfIn PDF document text
    • http://lizuzezusad.medianewsonline.com/anthropology_optional_paper_2020.pdfIn PDF document text
    • http://redpandarecycling.com/64289288477qh5c1.pdfIn PDF document text
    • http://gomigapujasep.sportsontheweb.net/kebuzalaluleki.pdfIn PDF document text
    • http://tersq.space/biriba_card_gamewgwtl.pdfIn PDF document text
    • https://livadekawa.weebly.com/uploads/1/3/5/3/135317457/vijopesuripum.pdfIn PDF document text
    • https://webexozaputer.weebly.com/uploads/1/3/2/6/132681415/vugusoxoluzet.pdfIn PDF document text
    • http://wejowadizabudex.mypressonline.com/business_plan_for_startup_business_template.pdfIn PDF document text
    • http://xonigej.mypressonline.com/fekorerabakufijupibedi.pdfIn PDF document text
    • https://doxekitonibi.weebly.com/uploads/1/3/5/3/135326555/sebivikimelapiw.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://jasesazolaf.myartsonline.com/gojom.pdfIn PDF document text
    • http://bidusibebawuz.onlinewebshop.net/rajikasimamode.pdfIn PDF document text
    • http://tiwatimab.atwebpages.com/how_do_i_set_my_dvr_remotely_xfinity.pdfIn PDF document text
    • https://781b76d0-895c-4d4e-90f3-491762fad171.filesusr.com/ugd/894952_71e24572c7004284aafba057413d1785.pdf?index=trueIn PDF document text
    • https://486bfeb6-87d8-40a3-812f-3449909c9139.filesusr.com/ugd/81b904_1d239466f5b647eb9e11951c3a4a2743.pdf?index=trueIn PDF document text
    • https://9e77dbea-16d6-438e-9859-4a68c5388828.filesusr.com/ugd/3225da_41943a155fe148e7a935e9abb3507a5c.pdf?index=trueIn PDF document text
    • https://254b3b0b-79dc-4992-827c-fd4bb3db3178.filesusr.com/ugd/f515ca_31a3117c98b34fe48b7fed1bfc31f83c.pdf?index=trueIn PDF document text
    • https://081e7fb2-604d-424b-9b75-a58d54a71a44.filesusr.com/ugd/abd6ea_3518a4a267dc4ffc98ee92e764df54c4.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000deda.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDEDA 5484 bytes
SHA-256: b81bb725cfeddea87acdba230e507358e036dcaecb582734484b3b508d7a399d