Malicious PDF — malware analysis report

Static analysis result for SHA-256 dee327a0c90820ce…

MALICIOUS

PDF

69.9 KB Created: 2021-02-06 07:36:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6c7660dc11e95940dd35661e0649552 SHA-1: 2c5694e7cc4720f5b4da275d0fc0994f9d04a9a6 SHA-256: dee327a0c90820cec2aa9bfd48baeda644bcd8a386c7923c2cebfdc534107ddb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded URLs that point to known malicious redirector infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The ML classifier also flagged the document with high confidence. While no scripts were explicitly extracted, the nature of the embedded links suggests an attempt to lure the user to a malicious site, likely for phishing or to download a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9815

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/aws?utm_term=causes+of+environmental+pollution+pdf
    • https://cdn.sqhk.co/jipogidara/jconjaX/numuzefirijidakojemonuzo.pdf
    • https://cdn.sqhk.co/lewulula/ijcrvjj/quran_urdu_translation_audio_app.pdf
    • http://worldthailand.fun/537926608277zwod.pdf
    • http://originalhallyu.com/kaponakomijuqe84n.pdf
    • https://cdn.sqhk.co/wajerewuwer/ibjaevj/rumble_fish_movie.pdf
    • http://tronreserve.online/ruwikolumogofozumusaripotiu3ev.pdf
    • https://cdn.sqhk.co/noxuluni/2haNaic/84902513374.pdf
    • http://thelandofbadideas.com/jidot9n0h6.pdf
    • http://maska-respirator.shop/4990643491k7xwp.pdf
    • http://greatholl.com/likivizedagbr3b3.pdf
    • http://kudretbozaci.com/dx11_feature_level_10.0_download_windows_105gf7a.pdf
    • https://cdn.sqhk.co/gawagunikuw/aijc7ij/the_walking_dead_season_1_characters.pdf
    • https://cdn.sqhk.co/tezikegoj/egd94Gv/flight_simulator_military_jets.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/loneminovu/62952674167.pdf
    • https://s3.amazonaws.com/vosimalume/cardiopulmonary_assessment_form.pdf
    • https://s3.amazonaws.com/wukara/kedejilezomivomepuf.pdf
    • https://s3.amazonaws.com/kotodur/gst_tax_calculator.pdf
    • https://s3.amazonaws.com/kifutizijebuj/anastasia_brow_definer_color_guide.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e776.bin
2bf5c31859bb59cb6c3407014abce045e7ee293447aad21183486d84bc781920		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE776 5152 bytes
font_01_sfnt_off0000f8ec.bin
975b873bde7f0e193ee5c4a58cde82ea96515ae877e59acf517a9157338d6a2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8EC 10540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.