Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea9fed3c4a55813c…

MALICIOUS

PDF

121.2 KB Created: 2021-01-05 05:11:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: 30441656dd1acbdb4982f0682c7d9a55 SHA-1: b9c5f335f37572ccd42490307d3f381f0596e747 SHA-256: ea9fed3c4a55813c43c57160d5e0f59527606cb2fbf3c4ae1c63f5e457ee03ce
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or redirection scheme. The embedded URLs likely serve to direct users to malicious sites, potentially for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?utm_term=apd+full+form+in+insurance PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4503874/normal_5fc78e0e88304.pdfIn PDF document text
    • https://jazediwugitali.weebly.com/uploads/1/3/4/7/134730671/e4d377.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4487413/normal_5fe1830d91960.pdfIn PDF document text
    • https://femobideja.weebly.com/uploads/1/3/4/7/134735935/zuxasunimonavesap.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4404523/normal_5fb035a80916f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4496360/normal_5faf0877455dd.pdfIn PDF document text
    • https://nolipugi.weebly.com/uploads/1/3/4/6/134652161/1454341.pdfIn PDF document text
    • https://xavujome.weebly.com/uploads/1/3/0/7/130739328/supokotivudasupodox.pdfIn PDF document text
    • https://sijanobodebalu.weebly.com/uploads/1/3/4/6/134639398/ef60a5435e.pdfIn PDF document text
    • https://pojutawetuje.weebly.com/uploads/1/3/1/3/131382470/dosax.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/9c4c21bf-7a7c-454a-b2b7-cbab46ecf91a/38081264360.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8853e8e3-e4f6-4b25-b666-0d6352e021b5/11613445818.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0741d64b-d19c-4aef-8c27-9f5b0b3b0e14/xekevuxigatigekifenugozaj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8cfe57fb-7230-42e2-8b17-bc3bc9523b2c/organizational_chart_and_hierarchy_k.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017b8c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17B8C 5092 bytes
SHA-256: bb9b1d149171b276f99815b49136adb99f53fa5463161bd1d7df2db76a6e8ba8
font_01_sfnt_off00018cb6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18CB6 11684 bytes
SHA-256: db2f2334ed3b054797583a75868fd4ee46a5313cd94b998132aad97357d726f9
font_02_sfnt_off0001b42d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B42D 16060 bytes
SHA-256: 1143ecdd1036854af7781a9416d0a82fe6fe24e09269eea81b933035be45ec4a
font_03_sfnt_off0001c8bf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C8BF 4324 bytes
SHA-256: ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230

Open this report in the interactive analyzer, or submit your own file for analysis.