Malicious PDF — malware analysis report

Static analysis result for SHA-256 d05ee5362295e1ea…

MALICIOUS

PDF

81.4 KB Created: 2021-09-15 22:55:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: aabd2a369e9040b76be47fdcd0819813 SHA-1: 0085660c8dbeb2a14b8f244a4d3571f6b3c6fb1e SHA-256: d05ee5362295e1ead582199bee0f9f4ba493aa51ee06032884be4aef8617179a
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. The presence of a link farm with numerous disposable hosts and deceptive UTM parameters suggests an attempt to redirect users to malicious content, likely for credential harvesting or malware distribution. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards a phishing attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://oxigensupplies.com/shipinc/userfiles/files/vedasij.pdf In PDF document text
    • https://przyklejki.pl/userfiles/wipudimirivexajadogini.pdfIn PDF document text
    • https://charlesstreetvideo.com/userfiles/file/2588262267.pdfIn PDF document text
    • http://gaytonfa.com/upload/files/61502099616.pdfIn PDF document text
    • https://cafesca.info/ckfinder/userfiles/files/domumefutotiga.pdfIn PDF document text
    • http://sensor4you.com/fckeditor/editor/filemanager/connectors/php/fckeditor/upload/202109/file/kifoxovil.pdfIn PDF document text
    • http://heichapuzi.com/uploadfile/file/xusinuzipaperimusovur.pdfIn PDF document text
    • https://xn--z4qq44i.xn--kpry57d/upload/actfiles/25703074760.pdfIn PDF document text
    • http://wronba.com/uploads/wysiwyg/file/12611534617.pdfIn PDF document text
    • http://budropol.de/Upload/file/zutivi.pdfIn PDF document text
    • http://baovecongtruong.com/upload/files/gonezazajubefexadalaleja.pdfIn PDF document text
    • http://lixupeng.com/uploads/files/nuwimarowawunaxar.pdfIn PDF document text
    • http://naitikfashions.com/ckfinder/userfiles/files/nezofasoxujifafonurodegu.pdfIn PDF document text
    • http://www.hotel-margherita.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613928c52a6db---19256083866.pdfIn PDF document text
    • https://hrmconsulting.biz/upload/files/11221058620.pdfIn PDF document text
    • https://www.esfa.bg/root/ckfinder/userfiles/files/sujim.pdfIn PDF document text
    • http://bebsulmare.com/userfiles/files/narefose.pdfIn PDF document text
    • http://www.sun-green.eu/ckfinder/userfiles/files/94224551104.pdfIn PDF document text
    • https://www.advids.io/wp-content/plugins/formcraft/file-upload/server/content/files/16135cdc4cafc8---firojamisep.pdfIn PDF document text
    • http://flagrant-desir.com/userfiles/file/3652023955.pdfIn PDF document text
    • https://produktybhp.pl/pliki_user/File/75806625171.pdfIn PDF document text
    • https://we-plus.tw/ckfinder/userfiles/files/58136712489.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=minecraft+pocket+edition+2021+apkPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d775.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD775 18488 bytes
SHA-256: 8d835edbcc2397130e6b18bc2f9fd8d51518268f049174b27ffc0b6e3486a956
font_01_sfnt_off000106be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x106BE 10780 bytes
SHA-256: facc250a430b8f0682baf7196bd777aa5fc2526268f63253cdc69026b8604547
font_02_sfnt_off00011fc5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11FC5 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1