Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3b92b5d97a2081d…

MALICIOUS

PDF

83.4 KB Created: 2021-03-07 06:18:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d433923be4bc640f0290bd75165c63b9 SHA-1: 3dba982bf92f61abaa36ec13fbaec113ff695476 SHA-256: c3b92b5d97a2081df46924276dee50a422f31bea566182fcbed1337a159dafdb
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it is a link farm and is flagged by ML and ClamAV as malicious, specifically as a phishing trojan. The embedded URL leads to a domain associated with malicious activity. Although no scripts were explicitly extracted, the PDF structure and external URL suggest an attempt to redirect users to a malicious site, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/aws?utm_term=amsco+us+history+answer+key
    • https://cdn-cms.f-static.net/uploads/4413125/normal_5fd7ef1310450.pdf
    • https://static.s123-cdn-static.com/uploads/4417990/normal_5feee5147d850.pdf
    • https://cdn-cms.f-static.net/uploads/4403561/normal_6036bc0a72801.pdf
    • https://cdn-cms.f-static.net/uploads/4386828/normal_6014f55d59e09.pdf
    • https://cdn-cms.f-static.net/uploads/4416490/normal_5fd19e03b77dd.pdf
    • http://tetuzat.22web.org/dead_cells_insufferable_crypt_guide.pdf
    • https://static.s123-cdn-static.com/uploads/4530070/normal_5ff67c5271c75.pdf
    • https://cdn-cms.f-static.net/uploads/4381294/normal_5fe65ef4abaef.pdf
    • https://cdn-cms.f-static.net/uploads/4417543/normal_601f6434a353e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/ff7cbc56-0eb9-4afb-a288-790a02eeeeb9/lajitajituxamukilod.pdf
    • https://4abf464d-34d5-4c80-8de5-e64f30e04530.filesusr.com/ugd/8b3eb5_43d237b709044f3e999ca6ba06de490f.pdf?index=true
    • https://s3.amazonaws.com/devuxuzejozam/75708548817.pdf
    • https://s3.amazonaws.com/xomudufe/82511450551.pdf
    • https://e4da1597-3bb3-488b-9226-7c2c9e06e9ce.filesusr.com/ugd/db5d73_e006a7b9ea914bc8918d7735e67cc174.pdf?index=true
    • https://s3.amazonaws.com/xutomoxu/72526620117.pdf
    • https://s3.amazonaws.com/bubisifapagefe/42490185400.pdf
    • https://0926596c-b1e6-4473-87d6-fed2e709bfeb.filesusr.com/ugd/e2a635_0075d6ac06f846f48d53e5fcaaea5484.pdf?index=true
    • http://wifukuvupuluxu.epizy.com/types_of_business_ownership_lesson_plan.pdf
    • https://uploads.strikinglycdn.com/files/f1f36ba4-9e20-4dc8-8648-f5776e6c66f7/zezufedurasixutijupepaja.pdf
    • http://tezafafowajij.epizy.com/71021636072.pdf
    • https://59bb578d-b312-442a-858b-1a1a54b18a6c.filesusr.com/ugd/c79b1c_b2ef87d22ad44f2e837a64165fc0fab3.pdf?index=true
    • https://329f26c8-0235-4118-8622-173d264d9cf1.filesusr.com/ugd/221f3a_88759da1c08249aa8b4bd295712c9eb6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/79c54495-763c-45b8-a1f1-2439ad1a01db/hayward_pool_heater_gas_pressure.pdf
    • https://s3.amazonaws.com/vunizi/nuwovi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa0e.bin
039789ee1cbeeca6f4b27df22841bafe631cddae92efa487768df6751b0c7a74		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA0E 5136 bytes
font_01_sfnt_off00010b70.bin
a80fca84098256196a5c7ee99f404626c17bea401f31972875df5317562fd613		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B70 11376 bytes
font_02_sfnt_off0001322d.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1322D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.