Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8584a039bd22b34…

MALICIOUS

PDF

79.6 KB Created: 2021-09-19 00:47:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-22
MD5: 8abf5b174e973b619aef01ba94543dfc SHA-1: 64fdd3606b751a0f96bb69ab12163399adce8026 SHA-256: d8584a039bd22b34ae504a62daa6b85b393a670e3d3dcdf9827140ca38b6dd15
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV and ML classifiers, with high-severity heuristics indicating it's a PDF with random and disposable URLs. The PDF structure and numerous external links suggest it functions as a link farm, likely intended to redirect users to phishing sites or download further malicious content. The presence of embedded JavaScript, though not explicitly detailed in the provided evidence, is a common technique for exploiting PDF vulnerabilities and initiating malicious actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7191

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/uplcv?utm_term=demon+slayer+mugen+train+sub+full PDF link annotation
    • https://silverbirdmarketing.com/pages/images/file/nuzeluzosemulomorari.pdfIn PDF document text
    • http://king-ber.com/UploadFiles/file/20210906025739501.pdfIn PDF document text
    • https://floraplant.gr/FCKeditor/userimages/file/nasanufiwori.pdfIn PDF document text
    • http://tischtennis-kiel.de/images/file/88101142176.pdfIn PDF document text
    • http://quanhoangtsi.com/upload/quangtri/files/49964593712.pdfIn PDF document text
    • http://tg-focus.ru/userfiles/files/82248714018.pdfIn PDF document text
    • http://hadt.vn/upload/files/govolejewolebakidagapegax.pdfIn PDF document text
    • http://xn--989ap7r0xbd5x.com/upload/fckeditor/file/3846466594.pdfIn PDF document text
    • http://lulanjina.net/upload/files/kiner.pdfIn PDF document text
    • http://karimeh.com/public/userfiles/file/molavivezadisetixinepevud.pdfIn PDF document text
    • https://thepainter.asia/upload/files/mazamukolano.pdfIn PDF document text
    • https://hiperaktivite.info/userfiles/files/19556378305.pdfIn PDF document text
    • https://gogift-it.com/userfiles/files/6441084079.pdfIn PDF document text
    • https://livre-art.com/ckfinder/userfiles/files/72292416578.pdfIn PDF document text
    • http://studiomedicoveterinariobellucci.eu/userfiles/files/sowurivid.pdfIn PDF document text
    • http://insightonafrica.in/userfiles/file/73971083238.pdfIn PDF document text
    • https://cakkue.com/contents/files/rediwubitat.pdfIn PDF document text
    • http://hotel-ambassador-nice.com/upload/files/22373180313.pdfIn PDF document text
    • https://interior-mark.com/ckfinder/userfiles/files/84947305142.pdfIn PDF document text
    • http://xecuoihuyhoang.com/uploads/userfiles/file/23251454286.pdfIn PDF document text
    • https://hamayeshniroo.com/shop/file/pedifudivipegadoroseja.pdfIn PDF document text
    • http://tatugigo.com/ckfinder/userfiles/files/67767089493.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001078e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1078E 10912 bytes
SHA-256: 53af0de954f5269a877b3da903df8b4c4e05b403233690d688afc98a664e3a96

Open this report in the interactive analyzer, or submit your own file for analysis.