Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5c0858590368961…

MALICIOUS

PDF

79.7 KB Created: 2021-09-30 22:18:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: 67b96c9a85d415abb96711d3afa19525 SHA-1: 08328efcd9221c92f3a981bc4ded778188615a83 SHA-256: d5c0858590368961c6b9fc38944c6facb1e579d4977b94b22c88b3bbf5473ed1
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier indicating maliciousness. The presence of numerous embedded links, many pointing to potentially disposable domains, suggests a phishing or link-farming attempt. Although no executable scripts were extracted, the structure and heuristic firings strongly indicate a malicious intent to redirect users to external, untrusted resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9966

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://promocode.lu/userfiles/files/pumipedemila.pdf In PDF document text
    • http://djapm.com/userfiles/file/34751168520.pdfIn PDF document text
    • http://geofer.eu/userfiles/files/kojovarulujakerenaw.pdfIn PDF document text
    • https://www.disbel.es/ckfinder/userfiles/files/dukepijapokevuz.pdfIn PDF document text
    • http://dokumsuzgec.com/userfiles/files/49838146842.pdfIn PDF document text
    • https://olajpark.hu/files/files/lukegafiwiruzifowede.pdfIn PDF document text
    • http://simkoongschool.com/uploads/editer/files/42538560651.pdfIn PDF document text
    • http://www.caribbeandentist.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614b3e87595ea---34377177084.pdfIn PDF document text
    • http://kvbm.org/pds/userfiles/files/68059141312.pdfIn PDF document text
    • https://www.netcorp.hu/data/editorfile/lokebumubitibezap.pdfIn PDF document text
    • http://www.petersonassoc.com/emailimages/file/28203252218.pdfIn PDF document text
    • http://www.museopizarra.com/ckfinder/userfiles/files/38272824714.pdfIn PDF document text
    • https://sikanderajam.com/Robinson/ckfinder/userfiles/files/kevuwimisu.pdfIn PDF document text
    • https://soi.icami.mx/ckfinder/userfiles/files/97859981525.pdfIn PDF document text
    • https://hotelpancharatna.com/assets/userfiles/files/41853767854.pdfIn PDF document text
    • http://www.dadosefatos.net.br/wp-content/plugins/formcraft/file-upload/server/content/files/1613a93d3d731e---58477371070.pdfIn PDF document text
    • https://helicopterleasingservices.com/userfiles/files/xutokisugefefiluguwur.pdfIn PDF document text
    • https://nstoplana.rs/ckfinder/userfiles/files/97053165083.pdfIn PDF document text
    • http://studiosantese.eu/userfiles/files/kuvuduxetereb.pdfIn PDF document text
    • http://megat.pl/uploaded/fck_files/file/91019346415.pdfIn PDF document text
    • http://donateagift.eu/userfiles/file/vadumewe.pdfIn PDF document text
    • http://surveycook.com/upload/tmp/202109/file/fusujadepora.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/cv9VXjIrmdE/uplcv?utm_term=screen+recorder+premium+apkPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b7d4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB7D4 10628 bytes
SHA-256: 632af5e5c530e7d32bfcf28d11ff706598978fdffeac81f70bf55810e9f7cc62
font_01_sfnt_off0000d016.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD016 19496 bytes
SHA-256: a6d580ab966915df5440cdd346e9761643ad365546a7060aa0c42ee466cff30c
font_02_sfnt_off000102a4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x102A4 16188 bytes
SHA-256: 800554d3d6320da9c8ab21a3ad3d270f40e7a92360d7538c059d647d952d1d34
font_03_sfnt_off0001185a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1185A 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1