Malicious PDF — malware analysis report

Static analysis result for SHA-256 d790699b457e445e…

MALICIOUS

PDF

84.3 KB Created: 2021-03-20 09:03:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 10f0dc28af3e93c45fd55adc1b363ecb SHA-1: 7f31ebaca60c23f24d5d0ecbead2f17a0c5f3292 SHA-256: d790699b457e445e971b30079b8898a6c0eb401209697a1ab6bea5aa172b0295
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, with a significant portion pointing to disposable domains and exhibiting link farm characteristics, suggesting a phishing or malware distribution campaign. The ClamAV detection and ML classifier strongly indicate malicious intent. While no scripts were directly extracted, the PDF structure and embedded URIs are indicative of a spearphishing attachment used to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=ariston+europrisma+water+heater+installation+manual
    • https://cdn-cms.f-static.net/uploads/4387815/normal_601789cfb168a.pdf
    • http://ayazshabutdinov.club/5291616352645ga8.pdf
    • http://artdebug.site/caballo_de_troya_descargarziila.pdf
    • http://ueuniti.website/fmea_aiag_vdatn47z.pdf
    • https://cdn-cms.f-static.net/uploads/4454547/normal_6032948744706.pdf
    • http://xsafak.com/negixegogamisorivelegqq.pdf
    • https://cdn-cms.f-static.net/uploads/4378381/normal_60523508169c4.pdf
    • http://tiktokhd.design/design_of_septic_tank_and_soak_pitd363g.pdf
    • https://cdn-cms.f-static.net/uploads/4413866/normal_600a0f42bc1c8.pdf
    • http://7lessons.website/big_mamas_funeral_summaryz8y3b.pdf
    • http://banki-internetowe.com/repair_shimano_nexus_3_speedzfji7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://0dd0cd87-80d3-4eb5-b9c6-73c43c3a6fca.filesusr.com/ugd/f0b6b3_cc738631d92749a38a271afc429b5463.pdf?index=true
    • https://75ca6b5e-a470-4e0e-8004-b00a9f1721b4.filesusr.com/ugd/1e4819_1e1eea29656c412181973d8c94e27aaf.pdf?index=true
    • https://3012fa3b-51b7-4264-898e-e15d6fab1eb1.filesusr.com/ugd/ee5524_cb3a33c93a5d423a9efb9e6d98d01a4a.pdf?index=true
    • https://0a38098d-26c8-4844-ab0b-2dfc398d7f8d.filesusr.com/ugd/fffd55_e1cab271561343eead9a59d07526311f.pdf?index=true
    • https://s3.amazonaws.com/liguwubore/metformin_500_sr_tablets.pdf
    • https://s3.amazonaws.com/lorugipopuxe/misbehaving_thaler_audiobook.pdf
    • https://d2faa26e-66ca-44cd-8f84-883624a71019.filesusr.com/ugd/dbbfd0_827671eb4fb8429a9711ad142d0a938a.pdf?index=true
    • https://s3.amazonaws.com/defujo/internal_audit_report_template_iso_9001.pdf
    • https://e4586023-485a-43f1-9451-2d404684c5b7.filesusr.com/ugd/95ff22_d658491cf79d403e8b3a1e80ac65cd42.pdf?index=true
    • https://s3.amazonaws.com/wanasuvedigo/ragnarok_mobile_monk_leveling_guide.pdf
    • https://ed21222e-fee3-4fab-8b52-e2ddb7bb35ab.filesusr.com/ugd/e73fea_bb95b3d46a704b9b82ea757775589bcf.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010a9d.bin
dee9e92ff9680aca2b2133dd32d877b1ad7886aeca01dd6a60fff7f2dc64c5ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A9D 5140 bytes
font_01_sfnt_off00011bfc.bin
7606ea7db89882aa94982a0d7fa296eb96ff1a2ac035fe8fe5b90617736cc0fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11BFC 11660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.