Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc0ed9b2a95dbdc9…

MALICIOUS

PDF

91.3 KB Created: 2021-02-28 19:01:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: 0a7b3d5b2ff53cc8c25c27138579a018 SHA-1: 421e4de2a0ec2d9be02e6ecc7bae6e84c8f9fa17 SHA-256: cc0ed9b2a95dbdc94396b2e0bc7d45e447a6922a19e32a58f32bb7f7efacd54b
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a phishing or trojan threat. It contains numerous embedded URLs, many of which point to disposable domains and are likely used to redirect users to download sites or phishing pages. The document body, though truncated, suggests a lure related to game downloads, aligning with the PDF_SEO_DISPOSABLE_LINK_FARM heuristic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=geometry+dash+apk+2.1+free+download PDF link annotation
    • https://cdn.sqhk.co/takejirasomu/hdiaHjg/sniper_ops_3d_shooting_game_apk.pdfIn PDF document text
    • http://lnstagramverifiedbadge-form.com/j_cole_middle_child_sheet_musicfr9uf.pdfIn PDF document text
    • http://yoga-italy.space/vafefivibubibegexefcg6o.pdfIn PDF document text
    • https://cdn.sqhk.co/raxavetaletu/PrrVIgj/amc_cookware_price_list_2020.pdfIn PDF document text
    • https://cdn.sqhk.co/nojumuku/2ifnVMa/rummikub_replacing_joker_rules.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4380403/normal_600578ca4ea12.pdfIn PDF document text
    • http://nuvoked.22web.org/74812816481.pdfIn PDF document text
    • http://1yamal.space/tixoxutukedc1s0q.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365594/normal_5fd2339b5f350.pdfIn PDF document text
    • https://cdn.sqhk.co/sebixodof/hdha0Uc/followers_and_likes_for_tiktok_free_2020.pdfIn PDF document text
    • http://ketosimple.online/66719170483z2eus.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4450907/normal_60324f389b32c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4410190/normal_603ab3905c60b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4406463/normal_5fdaaaed53358.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://rimaxuj.rf.gd/90774196049.pdfIn PDF document text
    • https://s3.amazonaws.com/wizuluworafid/hays_malaysia_salary_guide_2018.pdfIn PDF document text
    • http://panafinuniro.epizy.com/hex_to_ascii_converter_tool.pdfIn PDF document text
    • http://pisepivowunasi.rf.gd/52748352869.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000125c8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x125C8 24924 bytes
SHA-256: 02872a0ba848b6d718e14555ae56aa5ee13c84ab88481b34672b1d4b26e55cf2
font_00_sfnt_off0000eeb8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEEB8 5528 bytes
SHA-256: c8b7d272e5cd256a9c7822f96b94e1970b53a14db813824ae53dd4bdf85e58b5
font_01_sfnt_off0001018b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1018B 10580 bytes
SHA-256: 47e48f490e2dba55168e9fb54234d275768ad87202bdbcb38c11edb353427431
font_03_sfnt_off0001517a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1517A 4324 bytes
SHA-256: 4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3

Open this report in the interactive analyzer, or submit your own file for analysis.