Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf75d8a58cc28a74…

MALICIOUS

PDF

108.3 KB Created: 2021-04-11 09:03:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 590428dd6d3aafad72e5f90c11a49cc2 SHA-1: 7186d1319120c226b06f48ba4b15731e58c02ad4 SHA-256: cf75d8a58cc28a74e1a045e208ec4f1eec7d2d39b4b65e71072a8ac0d6d3da79
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, and exhibits characteristics of a link farm. It contains numerous embedded URLs, many of which point to disposable domains or are used in a redirector pattern, suggesting an attempt to obscure the final destination. The heuristic PDF_SEO_DISPOSABLE_LINK_FARM indicates a high likelihood of this document being used to distribute malicious content or phish users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5074

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.natsihwa.org.au/sites/default/files/webform/zolevijovexoneda.pdf
    • http://www.sumnercountyhospital.org/sites/default/files/webform/27017481005.pdf
    • https://extranet.blanchisserie-toulousaine-de-sante.com/sites/extranet.blanchisserie-toulousaine-de-sante.com/files/documents/justificatifs/niroxopewesanusogub.pdf
    • https://www.natsihwa.org.au/sites/default/files/webform/19026354442.pdf
    • https://www.uts.cw/sites/default/files/webform/tizodakemepegipupimegoxi.pdf
    • http://seiary.com/sites/default/files/webform/rec/kutovaduro.pdf
    • https://www.natsihwa.org.au/sites/default/files/webform/72789215659.pdf
    • https://www.dgs-interparts.be/sites/default/files/42042694998.pdf
    • https://www.visitsavannah.com/sites/default/files/webform/mubojezelu.pdf
    • http://www.friendlycc.com/sites/default/files/webform/fajabenofedutetigolexid.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102Hussain
    • http://smc.org.inhttp://smc.org.in
    • http://www.indictrans.org
    • http://www.opentle.org
    • https://feedproxy.google.com/~r/skout/mBVl/~3/3CAf4wW3hvY/uplcv?utm_term=rhode+island+porn
    • https://gradfutures.princeton.edu/system/files/webform/25860956451.pdf
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • https://gitlab.com/smc/meera/blob/master/COPYING
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000ca7c.bin
fb8d7af59fb45225fbb2fb4c2e61897378985d5869b66c6ef2c487165cbeb2b6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCA7C 10072 bytes
stream_020_off00019cc4.bin
ff8afd0128a3e8272dfac70e36cecfeca33b65c2a4e76f06a99a431a8e4689af		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x19CC4 8366 bytes
font_01_sfnt_off0000ebe1.bin
95c28bf124100b38f30becf2bd331bb84919f97f2280dbd05cecea5569cbd0b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBE1 5052 bytes
font_02_sfnt_off0000fd04.bin
60db70a574561f37118e56256cea320d09ff6bdb4db7f77fbc44f553b06b448a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD04 3652 bytes
font_03_sfnt_off00010a84.bin
e08c5f2a99be7fd31700a762fed605b3e472a2d128bf2e6f4e1cd2b9730d8032		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A84 5852 bytes
font_04_sfnt_off00011d2b.bin
b82acd4f955df0eea302d506a23d2788cd67772f7efedb352c0c2e5440c1c61a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D2B 3800 bytes
font_05_sfnt_off00012baa.bin
05134c60e4007699df70fc4dc683761380ca3513cc2c9218eba129b043f6f2f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BAA 8612 bytes
font_06_sfnt_off000146a8.bin
913659a248f779835788141c9b50b744ac8dbc1c8d4c8a15de15e1001cfd9542		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146A8 4984 bytes
font_07_sfnt_off00015699.bin
06d3be421449783dd9b6b09a28e619aed9e58cb7a66d57cd6d6f2087ad132637		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15699 7432 bytes
font_08_sfnt_off00016b2f.bin
434e36614d4771886890c80e2306a3937276a41848e482884cb09a0aa99c8c00		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16B2F 16696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.