Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6b49a6ade06f77f…

MALICIOUS

PDF

67.6 KB Created: 2021-01-11 23:01:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cd0751f8b0d7e326e7dc1552f73736c4 SHA-1: d88785957e685ae1072cab7a4e9a084f3a59d904 SHA-256: e6b49a6ade06f77fe16a46c0a5f7f1414d8da4201fabe11bdd44b3c857c5fd05
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF document that contains numerous embedded URLs, many of which point to disposable hosting or redirectors, indicating a phishing or malicious content distribution scheme. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware delivery. Although no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of techniques used to redirect users to malicious websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7648

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/aws?utm_term=clorox+performance+bleach+safety+data+sheet
    • https://site-1174988.mozfiles.com/files/1174988/update_phones_custom_configuration.pdf
    • https://site-1168368.mozfiles.com/files/1168368/29636829905.pdf
    • https://cdn-cms.f-static.net/uploads/4365563/normal_5f88ddb7b2e16.pdf
    • https://cdn.sqhk.co/badaxiloru/chdgdgf/34918992216.pdf
    • https://midagadin.weebly.com/uploads/1/3/1/3/131381693/detarixon.pdf
    • https://cdn.sqhk.co/digiwejasipu/jejiunx/tesakaxotelopopegopujuvu.pdf
    • https://wawupibinotab.weebly.com/uploads/1/3/4/9/134900246/nilevotetuminaliji.pdf
    • https://site-1173894.mozfiles.com/files/1173894/free_fire_4k_wallpaper_download_for_mobile.pdf
    • https://cdn-cms.f-static.net/uploads/4368266/normal_5f953c89ba3bc.pdf
    • https://site-1171694.mozfiles.com/files/1171694/ikea_dresser_hemnes_black.pdf
    • https://bijasekimuku.weebly.com/uploads/1/3/4/5/134593614/fujumikoza.pdf
    • https://site-1173607.mozfiles.com/files/1173607/mugaxajosopodopufug.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/wewuxuviwar/visadi.pdf
    • https://s3.amazonaws.com/gazivemon/40636955596.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d087.bin
6a7e9eb6c9d52108ee1170b35081e473f23b39dac3f322b70ce0316763017cfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD087 5612 bytes
font_01_sfnt_off0000e36e.bin
51fa0e1afa3dc73d33d9ca47dff3a8edb0cf6192f81008982718b5bf275bc029		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE36E 10876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.