Malicious PDF — malware analysis report

Static analysis result for SHA-256 d01767cb4cd3aa35…

MALICIOUS

PDF

125.1 KB Created: 2021-04-01 01:20:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13
MD5: d0763ac0e287979a0bc10cb30adb783e SHA-1: 20ec567043b5b26e1df86360f0029033efb9aaa0 SHA-256: d01767cb4cd3aa356d1c37ac9d308a39044273af31c918956a37c64a9193d7f9
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan payload. The document contains numerous embedded URLs, many pointing to disposable domains, suggesting a link farm designed to redirect users to malicious content. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' specifically highlights this behaviour. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the heuristics strongly suggest an attempt to trick users into visiting a compromised site, likely for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9801

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/123?utm_term=behaviour+definition+pdf PDF link annotation
    • http://bit-ipo.ru/zidiritodovexamasaigpm.pdfIn PDF document text
    • https://cdn.sqhk.co/vubiwete/d2Z0fhi/mulufufetafafidafin.pdfIn PDF document text
    • http://proita.fun/is_lennie_a_flat_characterpxyke.pdfIn PDF document text
    • https://cdn.sqhk.co/zejegure/jg3JAgg/fumanubebimifodapo.pdfIn PDF document text
    • http://tdsevsvet.ru/jikuvidodolilat62112.pdfIn PDF document text
    • http://pl50off.info/danganronpa_v3_gift_guide_spoiler_freeuglk6.pdfIn PDF document text
    • https://cdn.sqhk.co/mozoposowi/vggLhec/wuvonefejumisojiwuroluz.pdfIn PDF document text
    • http://bbcua.site/sumilefidujajosuxelejubef9kboi.pdfIn PDF document text
    • https://cdn.sqhk.co/xolanikipiz/jebhahg/penalty_shootout_game_world_cup_2018.pdfIn PDF document text
    • http://promoocaoameericanas.com/japopozim26ao7.pdfIn PDF document text
    • http://medyayazilimtr.com/47376569725gmiea.pdfIn PDF document text
    • https://cdn.sqhk.co/gaximeme/dTSDijj/kegenolevizi.pdfIn PDF document text
    • http://banquepopulaire-fr.org/11125771721b29p7.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://s3.amazonaws.com/bisegilupuf/netawejaduxemevobinuxib.pdfIn PDF document text
    • https://s3.amazonaws.com/sakaburepagase/super_mario_bros_2_gbc_rom.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4f943258-605d-45e4-9432-e2423ca5a004/estudio_biblico_de_la_historia_de_jose.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e818b57d-0093-4a6a-8f4e-53d00aab8a2b/poxiwofagukepasedijuwiteg.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/147ea560-2927-4b1d-85f4-033b0768773f/god_is_a_matchmaker_quotes.pdfIn PDF document text
    • https://s3.amazonaws.com/patotale/sum_david_eagleman_summary.pdfIn PDF document text
    • https://s3.amazonaws.com/tobaziw/profit_and_loss_statement_template_for_nonprofit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/585def8d-5462-4f01-9cd6-50b069a7e77e/26882826690.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0a518416-a716-48f9-9b4b-23e81569fbad/why_did_netflix_remove_blue_is_the_warmest_color.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c91db729-ce4f-45ce-8a5e-d14011753d81/what_year_was_martin_luther_kings_i_have_a_dream_speech.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c4dd6c1e-4993-47f5-b560-ea8483849c1d/reloj_smartwatch_u80.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/965c5436-20e1-428c-b034-eafc1aaecd45/coleman_furnace_control_board_troubleshooting.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f00dba23-1c48-4cc6-99d4-2f76a23b2231/the_lodge_cast_iron_cookbook.pdfIn PDF document text
    • https://s3.amazonaws.com/posufij/binoxexamofasuluvigodux.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0001aac2.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1AAC2 23352 bytes
SHA-256: 218b3906fd1f898eb967c51811c99458974d6302842fe4c7e58a2d59158bcd1f
font_00_sfnt_off000109f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x109F9 16364 bytes
SHA-256: ce6277724165df770a671bc84da9047f5a535d51a49f129dd028f606cb0f4d9d
font_01_sfnt_off00013edf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13EDF 5028 bytes
SHA-256: 23f025198722cb4e2e90335ce126f70352983ae6a3bd44a0a43a9f3217f014b4
font_02_sfnt_off00014ff9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14FF9 8376 bytes
SHA-256: 35b9a6372a00228c8623fd541b035b87136fce6e77e5a0ed0a0b7e7cccdd63dd
font_03_sfnt_off00016722.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16722 25096 bytes
SHA-256: 943bd7993d0586e7424cad0be4c486c3581ed8c317ce23a0ca9e8268b3ec7df6
font_05_sfnt_off0001d363.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D363 4396 bytes
SHA-256: ce1c27e4554a7cb5973486c317649ab2ca9204eb38eb42ee145e1f9676a5e94c