Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc5e3559524cdf0a…

MALICIOUS

PDF

109.1 KB Created: 2021-04-09 02:41:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 848d29c04982a397458f415f4310beda SHA-1: 915cda9ec30d6b374bf8680e4ba241be89de77a4 SHA-256: dc5e3559524cdf0a2d4aef0fbdc098f3594b4e59df8bfcddd43fb7ab822e3c74
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The PDF contains numerous embedded URLs, many pointing to disposable domains, suggesting a phishing or malware distribution scheme. The presence of external URIs and link farm characteristics further supports this attack pattern. No scripts were extracted, but the overall structure and URL distribution are indicative of a malicious PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9936

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=time+capsule+meaning+oxford+dictionary PDF link annotation
    • http://pixxel.life/what_is_a_6_qt_slow_cookerx4bl7.pdfIn PDF document text
    • http://pay-order.info/jelefatiwadofakazezisijivsn9px.pdfIn PDF document text
    • https://pesawuzopedeg.weebly.com/uploads/1/3/5/3/135327269/991262b4233.pdfIn PDF document text
    • https://napokepuwaju.weebly.com/uploads/1/3/1/1/131164128/483902dbb9c.pdfIn PDF document text
    • https://wogizepi.weebly.com/uploads/1/3/5/3/135388010/a53be.pdfIn PDF document text
    • https://wiwofuda.weebly.com/uploads/1/3/2/3/132303082/7115791.pdfIn PDF document text
    • http://pimesizawox.sportsontheweb.net/learn_korean_fast.pdfIn PDF document text
    • http://remileboj.22web.org/23807980529.pdfIn PDF document text
    • http://fisitupogavi.mypressonline.com/types_of_batteries_for_solar_panels.pdfIn PDF document text
    • http://arenda-comp.space/kegimuxixupuxagutakidamne8ux.pdfIn PDF document text
    • http://suvolupijiro.mygamesonline.org/xedazinolevinodet.pdfIn PDF document text
    • http://sipamuxagiporen.iblogger.org/jenazawun.pdfIn PDF document text
    • http://bawoputameded.iblogger.org/79359257196.pdfIn PDF document text
    • http://prosale.company/383942555178tgod.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://wedalavunobuwe.rf.gd/vereseru.pdfIn PDF document text
    • http://pewulalabes.epizy.com/in_between_the_sheets_mcewan.pdfIn PDF document text
    • http://foduxidepozipiw.myartsonline.com/sovagomom.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6a5a9e36-4240-4614-a86d-6e9f0d267db6/adobe_premiere_pro_2020_mac_download_free_full_version.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/da653bb3-0bee-4403-8989-8536231092d2/a_song_of_ice_and_fire_stark_girl.pdfIn PDF document text
    • https://e86c6366-0652-46cb-9e1f-5633a133dba9.filesusr.com/ugd/510a18_9b3830a4f97e41caa7a9bc56fd25a431.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/9746a7db-029f-4ee2-949a-b3dfdce333d9/54701570789.pdfIn PDF document text
    • https://dfa52777-3edb-460f-9b14-ca5101cd4ecc.filesusr.com/ugd/5360f8_0bd536c4dbbb4a2bb93ea630694ceada.pdf?index=trueIn PDF document text
    • https://af30af13-e0b7-4de0-aca7-7783c01eade2.filesusr.com/ugd/9757e7_b65f4b4b9ba54a2ebd7f208c679c6f88.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/8c7798a5-988f-45dd-be62-a46da6a6c827/87874873819.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00017be3.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17BE3 17148 bytes
SHA-256: 236b194945f088bd5eb2d026c18b2be32723ca8311a43397d542dfd858cc8810
font_00_sfnt_off000109cb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x109CB 5648 bytes
SHA-256: 9078075bc9d49eb3f1e8e4f3010999242dcaf40b585ccbfb53200c9d76005a79
font_01_sfnt_off00011d9a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11D9A 5596 bytes
SHA-256: 0cd6ff9281bfc04b7c352a2d1ff66bcf94fa8595d6bd963a47ebfd12ee789fd1
font_02_sfnt_off00013095.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13095 3856 bytes
SHA-256: a9241871856db2a3810f0b933d95a582f82631bb97f55d3cf8b8d382a42c50ff
font_03_sfnt_off00013f09.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13F09 4888 bytes
SHA-256: b71e7ebbf1cf38f4280de4f0a7de58d2c1decc465455bff0db5efeff14032231
font_04_sfnt_off00014ef9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14EF9 14324 bytes
SHA-256: afb89b244ae5fd283e114d63fe512a01e6ae3afefa35dee54a5001148a35829f
font_06_sfnt_off00019506.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19506 3636 bytes
SHA-256: 147c3595cb500d089fc3ca998227d2b414d09336eb87cdc7d37cfe1483adf19b

Open this report in the interactive analyzer, or submit your own file for analysis.