Malicious PDF — malware analysis report

Static analysis result for SHA-256 d60556dfa14379d2…

MALICIOUS

PDF

81.4 KB Created: 2021-09-17 23:00:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 2e4aef198ce1234f9d164e710e26a2cd SHA-1: 8770b7e6887d3a9e22b73987dd4e19d08e16c4c8 SHA-256: d60556dfa14379d2a513d78018bef6e3c48e199baf49808d06a223f8824f00ae
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics, including a high-confidence ML classifier and ClamAV, indicating malicious intent. The embedded JavaScript and numerous external URIs suggest the document is designed to lure the user into clicking links, potentially to download further payloads or engage in phishing. The heuristic 'SE_REMOTE_SUPPORT_LURE' strongly suggests the document's content aims to trick users into installing remote support tools.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/uplcv?utm_term=hack+android+remotely
    • https://gullyracing.it/admin/ckfinder/userfiles/files/1355868860.pdf
    • http://techcessgroups.com/userfiles/file/54674023565.pdf
    • http://i-daa-wl.de/userfiles/zikogexiredavebaw.pdf
    • http://drvision.org/wp-content/plugins/formcraft/file-upload/server/content/files/1612f3ff6e5bf8---vigivolulabizaf.pdf
    • http://zaintik.org/files/galeria/files/23795643388.pdf
    • http://sanyosushiglendora.com/uploads/files/28412871615.pdf
    • http://commissioncollectionlaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/14295029053.pdf
    • https://granitabrasive.ro/editor_up/36703052480.pdf
    • https://renault-service.com/userfiles/duranuxodewumu.pdf
    • https://www.mercedesbenzofaustinservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613b2907d7fd7---japobusedapebipasagezonuv.pdf
    • http://szkolka-wiercioch.pl/files/file/dugavevugarujisivap.pdf
    • http://tznjl.com/userfiles/files/linerubunuxija.pdf
    • http://armiikrajowej36.pl/public/upload/ckfinder/userfiles/files/81128337661.pdf
    • http://luligang.com/ckfinder/userfiles/files/71374985842.pdf
    • http://wsm.hk/images/uploadfiles/file/sonejejapumekute.pdf
    • https://www.colegiodomus.com.br/js/ckfinder/userfiles/files/fepelaxoxajarafidunexux.pdf
    • https://transmilenio.net/datamont/userfiles/file/68793051146.pdf
    • http://studiochiodo.eu/userfiles/files/wumokutumeti.pdf
    • http://consurs.ro/ckfinder/userfiles/files/lebebumadevijivi.pdf
    • http://unewstoday.com/task/userimages/file/lutokovuvodotovawoxokoxu.pdf
    • http://evola.it/userfiles/files/19217702336.pdf
    • https://anctools.com/ckfinder/userfiles/files/rofipapomagifedupaxize.pdf
    • https://arte-salon.ru/upload_picture/pijade.pdf
    • http://ubest.ru/images/file/4307868189.pdf
    • http://studioassociatoemc.com/userfiles/files/pejurirapowusoz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db52.bin
220821eadea214887dea53fb2e55d0d821d0d81412a042ceb03157018fc5508e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB52 17068 bytes
font_01_sfnt_off000107fd.bin
8818031562c1ee82ea4d546a4fc7b910963a343081041f64c2d1d7680fa00db8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107FD 10560 bytes
font_02_sfnt_off0001200b.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1200B 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.