Malicious PDF — malware analysis report

Static analysis result for SHA-256 eba701038de91413…

MALICIOUS

PDF

123.5 KB Created: 2021-03-14 05:54:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: bef5ed23a67f4402e727baf624f095e3 SHA-1: 86153cb2fd7db1cc69fafdd4a6a4808b350b17ff SHA-256: eba701038de9141341931de4c07f78379e1a7748053d8105cfa76cf285e12210
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The sample is a PDF file that contains numerous embedded links, many of which point to disposable hosting or known malicious redirectors. Heuristics indicate the PDF is designed as a link farm, with one critical finding specifically identifying a link to known malicious redirector infrastructure. The ML classifier and ClamAV detection further support its malicious nature, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9680

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=medical+entomology+laboratory+manual+pdf In PDF document text
    • http://vuxiparami.22web.org/fufapowavuneturudewutizok.pdfIn PDF document text
    • https://cdn.sqhk.co/tuledapozato/c0icb3v/carnival_shooting_gallery_guns.pdfIn PDF document text
    • https://cdn.sqhk.co/buzaxelubot/Liqyhih/muxala.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4485440/normal_5fce723ee23b6.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4383452/normal_5fe55aa282e4b.pdfIn PDF document text
    • http://fegivate.medianewsonline.com/madugasav.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365546/normal_6015b5f6df96b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371787/normal_600d8a19cc3c2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4464850/normal_6043376c6c6af.pdfIn PDF document text
    • https://cdn.sqhk.co/giripiponi/jgeidjb/97269198155.pdfIn PDF document text
    • https://cdn.sqhk.co/xawodoze/ghBk5gf/84098975636.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366000/normal_601980654f48f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4479226/normal_6015d068d6d6e.pdfIn PDF document text
    • http://nibewubixela.getenjoyment.net/nanebimaxow.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4496828/normal_602da12638737.pdfIn PDF document text
    • https://cdn.sqhk.co/duvapegoleva/aigjngf/88778440190.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://dopozidimosopa.rf.gd/facebook_messenger_apk_por_uptodown.pdfIn PDF document text
    • http://forezepolutaju.onlinewebshop.net/spt_air_conditioner_wa-1220e_manual.pdfIn PDF document text
    • http://datojotimesa.epizy.com/severity_of_alcohol_dependence_questionnaire.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/57a75245-e140-4366-a6e4-3511d9247c4a/pipaxizizudegibibu.pdfIn PDF document text
    • http://sivopob.epizy.com/vizokezozunojex.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/62bfab2a-4483-48ab-bca9-578e1a2d372f/what_temperature_do_i_cook_chicken_breasts_on_a_george_foreman_grill.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b4586440-d0ed-415f-ac94-07fbc52fcff8/60035258903.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001b64c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B64C 5544 bytes
SHA-256: 7bd4efb04cb0122726a9206adf6b75dd8081ed3a52c5d49a28f80dcbc0c3dca9
font_01_sfnt_off0001c921.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C921 11488 bytes
SHA-256: ba592a8aaa4f087fd227988541e925367de9bc52d0ffa33b9dac47204e2444a9