Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2636c678db514f9…

MALICIOUS

PDF

143.6 KB Created: 2021-03-14 10:51:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: a3ce7f77c908d649a38d6059877ac2d5 SHA-1: 02d9e50f1822fbb2274977a7a024f1661ff43d35 SHA-256: d2636c678db514f9bb691aaa2d9d9a15458417773223b9d0f82f4889027db2e5
264 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and a machine learning classifier, indicating a high likelihood of malicious intent. It contains a large number of embedded links, many pointing to disposable hosting, and one specifically to a known malicious redirector. The document body, though heavily obfuscated, appears to be a lure related to installation guides, suggesting a phishing or malware distribution campaign. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=d-link+ac3200+installation+guide In PDF document text
    • http://nesebonuvobeju.getenjoyment.net/shimano_di2_external_battery_mount.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4465543/normal_5fdb5fbca6a56.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414339/normal_600c5f4c73962.pdfIn PDF document text
    • http://itfamily.info/648928492660uujn.pdfIn PDF document text
    • http://hookup158.fun/dexovqdgsr.pdfIn PDF document text
    • http://sevowina.medianewsonline.com/logitech_create_keyboard_backlight_not_working.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://4b4b92a8-4ac5-4030-97d5-af0917f8c077.filesusr.com/ugd/0251f0_93147d9b480a4a8c8a10e1e3ad1fd314.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/22791774-89de-4040-8bcd-8fd00bffa72b/gubobakevesorib.pdfIn PDF document text
    • http://nedizilunok.myartsonline.com/vuxudopetipanokifa.pdfIn PDF document text
    • https://8767aa75-4bd5-48c0-94ca-24e983238001.filesusr.com/ugd/debdc1_558e5ebc031a4def82971ea21b436fa7.pdf?index=trueIn PDF document text
    • https://d064ede3-316f-4d13-8ec5-014b2136b3bd.filesusr.com/ugd/154db6_3f4416b0dc9c4966b8e9a5ee6cbe6e80.pdf?index=trueIn PDF document text
    • https://9e1b5e4e-b4ab-405b-8fdf-b3b6d7b19c28.filesusr.com/ugd/94ea38_acf14f12d5824994bb09608c86d694f0.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/7459d44e-b167-4376-b2db-d09819599fdb/diluzufumupuwumuvaza.pdfIn PDF document text
    • https://5c90cfa9-af55-48e2-9430-1f3580382729.filesusr.com/ugd/e2b09b_bf5853fef93745e8a1a92e0b52b281df.pdf?index=trueIn PDF document text
    • https://aca292c6-a3ee-4c96-b4c9-db15c8eca1b9.filesusr.com/ugd/cd1d52_c377a73837bd47648c2d74d185280aff.pdf?index=trueIn PDF document text
    • https://6448a590-b571-4b71-a9e4-820b8531b153.filesusr.com/ugd/782be2_e802cc303fe24f7facb9711e8a527381.pdf?index=trueIn PDF document text
    • https://6f81cef9-66a2-447d-9e1d-4c0427ef15c5.filesusr.com/ugd/4d935e_317a9905689f4ef8aff4b4aec0cd1574.pdf?index=trueIn PDF document text
    • https://8767aa75-4bd5-48c0-94ca-24e983238001.filesusr.com/ugd/debdc1_383be4dcdc4f4e048e8e9ce64f17a62f.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000133fc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x133FC 53468 bytes
SHA-256: b08b7d4e8bd36e34f835056c3edaf9b441d9a38b8790e8643e921894c70cdea0
font_01_sfnt_off0001d1e8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D1E8 5544 bytes
SHA-256: e5506aca8bb381413c670d7fad9e261db918ed084c78e8fe7961635334acfdab
font_02_sfnt_off0001e4e8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E4E8 8924 bytes
SHA-256: 189e56a8ba7e7134a27b3b18611a7b9463ffd8f9c82ab388bf47c0f3f987a213
font_03_sfnt_off0001f6db.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F6DB 20388 bytes
SHA-256: 53db4aa8590ae9f1f479f9147aab72dc03f7a697cfad78cd14de6f23f2d33631

Open this report in the interactive analyzer, or submit your own file for analysis.