Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3dafad35e9d656f…

MALICIOUS

PDF

93.2 KB Created: 2021-09-21 18:09:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: 37e6a34a77c8ab63903ab7215fe0497d SHA-1: 738d5b58a24695bb73786b42b5fbe5436f8d333b SHA-256: c3dafad35e9d656f72b35ffc428d2e57c04cf9e10b13e2cc53bc5c5389f089fd
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as a malicious PDF by ClamAV, containing embedded JavaScript. This script likely redirects users to external URLs, as indicated by the numerous extracted URLs, some of which are hosted on disposable domains. The PDF's structure and the presence of JavaScript strongly suggest an attempt to lure users to malicious websites for phishing or other scams.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2793

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=anubhav+movie+old PDF link annotation
    • https://francoisdaulte.com/ckfinder/userfiles/files/20185503374.pdfIn PDF document text
    • https://fiberglasssupplydepot.com/userfiles/file/lusitavebanoponanuvabog.pdfIn PDF document text
    • http://nfraccon.org/userfiles/file/sopodu.pdfIn PDF document text
    • http://cps-mbstu.edu.bd/app/webroot/js/ckfinder/userfiles/files/naboguxamofajabu.pdfIn PDF document text
    • http://anonelectronics.com/admin/fckeditor/editor/filemanager/connectors/php/upload_jpg/file/202109020609259705.pdfIn PDF document text
    • http://pribatu.lamilagrosaimport.com/images/files/98970320152.pdfIn PDF document text
    • https://garnizone.com/userfiles/file/69810318965.pdfIn PDF document text
    • http://cerritos.songhakbbq.com/uploads/files/38344242665.pdfIn PDF document text
    • http://homokkepek.hu/editor_up/pazimolaxagux.pdfIn PDF document text
    • http://www.premiumimport.nl/ckfinder/userfiles/files/30492056550.pdfIn PDF document text
    • http://www.fullertherapy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613a740c72cec---78512645715.pdfIn PDF document text
    • http://musikpark-live.de/userfiles/file/94814524711.pdfIn PDF document text
    • http://kmbb.at/userfiles/file/72527041409.pdfIn PDF document text
    • http://romanasulcikova.cz/userfiles/wedagevepazex.pdfIn PDF document text
    • http://conhantaoankhanh.com/webroot/img/files/sowexoluzubezigad.pdfIn PDF document text
    • https://www.nhabe.com.vn/ckfinder/userfiles/files/97589755500.pdfIn PDF document text
    • http://aadcnfgl.netsociality.com/upload/files/niterevikododugejo.pdfIn PDF document text
    • https://eirai.org/editor/ckfinder/userfiles/files/78685443162.pdfIn PDF document text
    • http://www.novosib-sport.ru/ckfinder/userfiles/files/7018407736.pdfIn PDF document text
    • http://gzhangqin.com/uploadfile/files/91388728321.pdfIn PDF document text
    • https://trsbarriersdirect.com/wp-content/plugins/super-forms/uploads/php/files/mav0jr4irgg938gve97asq3a1b/21773905273.pdfIn PDF document text
    • http://adice-area.com/pictures/files/rufonaxoxebowoni.pdfIn PDF document text
    • https://www.posluh.hr/ckfinder/userfiles/files/kiraguj.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001181c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1181C 18452 bytes
SHA-256: e4689144e9b1465d7b52e119eea4ca6f20b45c0b3e00cdec0a2676aa4f788a90
font_01_sfnt_off0001488b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1488B 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000160a2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x160A2 10432 bytes
SHA-256: 89cff0a005f59cbbd97efeec2fba4eaab3843d4f914a7b89e01084d7670cf155

Open this report in the interactive analyzer, or submit your own file for analysis.