Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3eac72b0bce42d1…

MALICIOUS

PDF

166.6 KB Created: 2021-03-28 10:27:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fa0c98db03b5911edbbb34566f45bf03 SHA-1: 9a5247b12a1c6872647245de0453bb160aac6c5d SHA-256: c3eac72b0bce42d1a7b2d10c3ee80b96d3ea4f80c413a23444503b556d495aee
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains embedded links that redirect to a known malicious URL, 'https://yafferge.ru/award?keyword=mind+body+dualism+pdf'. This strongly suggests a phishing or malware distribution attempt, aligning with the 'Pdf.Phishing.Trojan' detection. No scripts were extracted, but the presence of malicious redirector links is sufficient evidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8689

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=mind+body+dualism+pdf
    • http://cocobeautybar.ca/tesekiradofuxun5ano.pdf
    • https://cdn.sqhk.co/wesifarajaru/iV4lgeU/do_lynx_spider_bite.pdf
    • http://matrixbicycles.com/camtasia_studio_8_trke_yama_indir6qzk0.pdf
    • https://cdn.sqhk.co/mezutorixo/geia0Lj/86694566702.pdf
    • http://tk-time.site/48327806380qt0ve.pdf
    • http://limezage.scienceontheweb.net/pdf_to_word_converter_program_free.pdf
    • https://cdn.sqhk.co/mowezeto/ugpKghg/dj_bottle_telugu.pdf
    • http://jipolavex.medianewsonline.com/20187502729.pdf
    • https://cdn.sqhk.co/nerenina/1ib5l0R/33645322614.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://128fc002-9ed4-4a8f-9a6b-83b43563a9ed.filesusr.com/ugd/6812d7_6325ec91847949e5b837fcb2680852f6.pdf?index=true
    • https://47ab6ce1-aee6-4086-a8e7-31fe393d2411.filesusr.com/ugd/afbef4_2bbe634991cf4272ae5449169baaad92.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a158c45a-b43d-40e3-86a6-e1f95610e4a2/zegufaridegidafekamirati.pdf
    • https://f4dd034e-00c7-465c-b850-fb2d75accad5.filesusr.com/ugd/769f78_3e6002aacb574d09b4e5153e4721cfec.pdf?index=true
    • https://bdc3fad0-85dd-4e34-85f7-620d54d4ff6f.filesusr.com/ugd/10cedf_53f5be01770b49f08925c626bbf62a29.pdf?index=true
    • https://c07b3cb0-7d4a-4e65-9c62-eb3bd0ce3b6b.filesusr.com/ugd/7560d5_3d5af7dbd00f490d840ccfb136564a71.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b8d0d916-a3f2-4efb-b48b-9edc312f240e/87217110292.pdf
    • http://wutesejib.onlinewebshop.net/pathway_atresia_bilier.pdf
    • https://uploads.strikinglycdn.com/files/2856de65-e9a7-4a5d-806f-c9bf7a4a9889/potty_training_in_3_days_book.pdf
    • https://569e8712-2873-4b93-a654-ea71b6b809e3.filesusr.com/ugd/345929_c7dead62dae3403fbbd95282d2cc6fd3.pdf?index=true
    • http://ziwivazud.onlinewebshop.net/63583504926.pdf
    • https://dd7ee03d-3646-4e01-a1e1-4c0a7e2c9e57.filesusr.com/ugd/d7ba0f_edc2662f0d1d41bf8fa28861f2f7b404.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5b12d70a-4bca-44a1-81b1-5fb4760c4313/48640097439.pdf
    • https://9ef77391-fdd1-48d8-ba15-364b07375333.filesusr.com/ugd/ebefdf_17dbaa4a47d143b388a1f4e79fe0e510.pdf?index=true
    • https://02408c19-b9f6-4996-a596-1d5b7e46c8d3.filesusr.com/ugd/c83fdb_7036f2369f354c288874a1722d22adf5.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00025b7b.bin
02f6c3da95ce3a0cd080fe32691ad4623a53aa26125a2e956e33726a696b07c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25B7B 5336 bytes
font_01_sfnt_off00026da3.bin
c8504515b8a3ee883a6060f30285d7231c5e8543502fd49eae2b77056e2c6931		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26DA3 13832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.