Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5d9b03ce3471f6f…

MALICIOUS

PDF

73.5 KB Created: 2021-09-09 02:38:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: c2c5a8bc0d69bdc62f5ed258afa1db91 SHA-1: 7f3d50448da72a6c98c1da6c342842a296b83717 SHA-256: e5d9b03ce3471f6fa118b60ff53f39f41c2449650e04be705442a2043c16bd31
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5898

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vizugy.hu/uploads/files/nowajodixepufitoweta.pdf In PDF document text
    • http://sirindhorn.net/upload/File/dejazasirimed.pdfIn PDF document text
    • http://mini-garden.ru/userfiles/file/nozevuketurukibeva.pdfIn PDF document text
    • https://kurishupally.org/userfiles/file/topefabes.pdfIn PDF document text
    • http://shtaket46.ru/page_edit/_samples/userfiles/files/gezesujobegekiwotuf.pdfIn PDF document text
    • https://gmonlinestore.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613869cd91a75---datutazapukudipukotibiwa.pdfIn PDF document text
    • http://infoegrafica.com/userfiles/files/givewutidoliwisajak.pdfIn PDF document text
    • https://www.serwkom.pl/plugins/ckfinder/userfiles/files/xubeduzuwibija.pdfIn PDF document text
    • https://thietbivesinhanhhuy.com/asset/files/48139643873.pdfIn PDF document text
    • http://rafaelokazakov.com/file/26964055422.pdfIn PDF document text
    • https://wtmasonry.com/ckfinder/userfiles/files/41319191291.pdfIn PDF document text
    • https://danielfelber.ch/userfiles/file/basisunemilufewete.pdfIn PDF document text
    • https://unique-u.biz/images/uploads/file/jojepuxagevidilegonuwikiw.pdfIn PDF document text
    • http://mail-business.ru/uploads/file/madino.pdfIn PDF document text
    • http://cpgny.com/userfiles/files/1676949208.pdfIn PDF document text
    • http://www.iciparis.ru/ckfinder/userfiles/files/97792600532.pdfIn PDF document text
    • http://theaterbuehne-schwandorf.de/userfiles/file/jobabikelaso.pdfIn PDF document text
    • https://fototipia.hu/files/files/45803881784.pdfIn PDF document text
    • https://cedria.es/DOCUMENTS/FotosFCKEditor/file/68535366066.pdfIn PDF document text
    • http://xn--9n2bn9mz3aba29g44r4o0a.kr/fckeditor/userfiles/image/logosoveminugadebozirow.pdfIn PDF document text
    • https://totalyoumovement.com/wp-content/plugins/formcraft/file-upload/server/content/files/16131a2e46f42d---xoluvobizirudekafereb.pdfIn PDF document text
    • https://mk-promotions.com/ckfinder/userfiles/files/nidakan.pdfIn PDF document text
    • https://eminenceconstruction.ca/viking1/uploads/files/xavuke.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/zMnd8XtcwSM/uplcv?utm_term=jai+ho+full+movie+download+720p+blurayPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d52d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD52D 11284 bytes
SHA-256: 210c6b1f33bc6252444b43fb8ccb09be28b2a212d010db3567a30da286ae5739
font_01_sfnt_off0000ef5d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF5D 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.