Malicious PDF — malware analysis report

Static analysis result for SHA-256 eaca2adf43c649cc…

MALICIOUS

PDF

63.8 KB Created: 2021-04-16 22:23:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-17
MD5: 317f713d802a4a4c31d7dd555a6de7a2 SHA-1: 25654c8154e5691701c5b1a85af770e0158929a0 SHA-256: eaca2adf43c649cc7f9c5a43a2a572ca64fb199c41de6313d59cf34bbdf752be
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains numerous embedded URLs, many of which are part of a link farm designed to redirect users. Heuristics indicate this is a phishing attempt, and ClamAV detection confirms it as malicious. The ML classifier also flagged it with high confidence, suggesting it's designed to lure users to external sites, likely for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8289

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.termis.org/system/files/webform/manejuwavujegajejumoxak.pdf In PDF document text
    • https://aboss.by/sites/default/files/webform/89266631471.pdfIn PDF document text
    • https://www.termis.org/system/files/webform/776381217.pdfIn PDF document text
    • http://www.friendlycc.com/sites/default/files/webform/topevonizudurazot.pdfIn PDF document text
    • https://www.jwico.com/sites/default/files/webform/47965191786.pdfIn PDF document text
    • https://ambrose.edu/sites/default/files/webform/lajeriz.pdfIn PDF document text
    • http://portal-mysigma.com/system/files/student-proof/9555400870.pdfIn PDF document text
    • https://www.mothercare.ro/sites/default/files/webform/resumes/sojivezogi.pdfIn PDF document text
    • https://www.enwidth.com/sites/default/files/webform/resumes/fudigebifofonixetizitalu.pdfIn PDF document text
    • https://aboss.by/sites/default/files/webform/31226501773.pdfIn PDF document text
    • https://www.uts.cw/sites/default/files/webform/89737617204.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/S30rS-6n6vg/uplcv?utm_term=mercs+2.0+rulebook+pdfPDF link annotation
    • https://lib.asu.edu/system/files/webform/bidemuf.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e193.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE193 5456 bytes
SHA-256: e08d507659adc805c49f97b0ff9db78b3e0edb9e726cad66ba41e99f366f0cd1

Open this report in the interactive analyzer, or submit your own file for analysis.