Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5f099b1c10a1bf6…

MALICIOUS

PDF

76.2 KB Created: 2021-09-09 10:35:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 19673a0a11e36cc164d6f6c6a1a38644 SHA-1: 5dcdf02f62b7138aba7b652e92e9a55436b3c283 SHA-256: c5f099b1c10a1bf64c7980d543da51ef9f72d6f488feed6084223ca8fe812c8f
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript and numerous external URIs, indicating an attempt to redirect users to malicious sites. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests the document may attempt to execute commands, likely facilitated by the embedded JavaScript. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4752

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=animator+vs+animation+android PDF link annotation
    • http://samtle.net/ckupload/files/vakozisuvomudenixi.pdfIn PDF document text
    • http://leebyenghun.com/new/upload/board/files/71282359629.pdfIn PDF document text
    • https://conexkarvan.com/cache/fck_files/file/44321851964.pdfIn PDF document text
    • https://indiachristian.org/uploads/files/revelelevupanevag.pdfIn PDF document text
    • http://qdcmd.com/data/files/kosewirozenojesiregamofu.pdfIn PDF document text
    • http://obasekiestates.com/UserFiles/file/16302404499.pdfIn PDF document text
    • https://laznia-radom.pl/userfiles/file/35913406143.pdfIn macro / runtime command snippet
    • https://tvmreza.tv/ckfinder/userfiles/files/tabepibisurujoxizavoze.pdfIn PDF document text
    • http://nordicwalkingturak.hu/_user/file/wuwafutepitefuj.pdfIn PDF document text
    • http://usefchina.com/uploadfile/file///2021090706495751.pdfIn PDF document text
    • https://afra24.com/basefile/afra24/files/72283844239.pdfIn PDF document text
    • https://wedding-photos.cz/userfiles/file/26112179415.pdfIn PDF document text
    • http://cmtoolsrental.com/user_img/files/20452345509.pdfIn PDF document text
    • https://www.mnogotrop.com/ckfinder/userfiles/files/jojuli.pdfIn PDF document text
    • https://szabobuszrendeles.hu/files/files/tazebuzelak.pdfIn PDF document text
    • http://tomei4x4.jp/js/upload/files/60818481151.pdfIn PDF document text
    • http://27derajat.com/assets/ckfinder/core/connector/php/uploads/files/fisiwabunasewak.pdfIn PDF document text
    • https://pui-vital.ro/msg_media/file/49351135004.pdfIn PDF document text
    • http://kbfrutos.sk/images/_file/misilujakowarojikutale.pdfIn PDF document text
    • http://www.carolglassman.com/wp-content/plugins/formcraft/file-upload/server/content/files/16136697227489---44301478595.pdfIn PDF document text
    • http://elard-group.com/ckfinder/userfiles/files/ginug.pdfIn PDF document text
    • http://www.sbawerribee.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/161331fcbbe615---gasaxaxapavo.pdfIn PDF document text
    • http://shacklefordlawoffice.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/10324591039.pdfIn PDF document text
    • http://ekotop.eu/userfiles/file/55125493618.pdfIn PDF document text
    • https://lidiyageorgieva.com/ckfinder/userfiles/files/pirunowafi.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE5CC 10276 bytes
SHA-256: 8e17ba8de5ae54a227ded12450d4ab552eddfb48faec5781f7c422495d8c1418
font_01_sfnt_off0000fcee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFCEE 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.