Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed182aad1c48aba1…

MALICIOUS

PDF

76.9 KB Created: 2021-09-19 00:49:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: a30ccf59131e68ca5b7072f1883c24fe SHA-1: 592476e6546e40ee6b217fd97d4e51acdd702f7d SHA-256: ed182aad1c48aba1f11cf98203c468ecdb7a28867aa6dee9d2e2cfd2a890af30
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and multiple links to external PDFs hosted on disposable domains, indicating a phishing or malware distribution attempt. The heuristic firings suggest the document is part of a link farm designed to obscure the true malicious destination, likely leading to the download of a second-stage payload. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5190

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gruppocinofilomarsalese.com/userfiles/files/57756233994.pdf In PDF document text
    • http://studiomedicoveterinariobellucci.eu/userfiles/files/17819544777.pdfIn PDF document text
    • http://swissies.lt/ckfinder/userfiles/files/29007909793.pdfIn PDF document text
    • http://hakasasi.id/userfiles/file/zuvukijiguvoluna.pdfIn PDF document text
    • https://autosofortkauf.ch/wp-content/plugins/super-forms/uploads/php/files/g1ukonbujmi76n3lk4kjeehpbj/sejepejawako.pdfIn PDF document text
    • https://loyallcanada.ca/editor_files/file/zoladobidixaku.pdfIn PDF document text
    • http://www.belladermeestetica.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1613978e1a7b7f---wotukugulivoz.pdfIn PDF document text
    • http://mg001.cn/upload_fck/file/2021-9-15/20210915143048846175.pdfIn PDF document text
    • http://daiichihr.com/uploads/news_file/48055612605.pdfIn PDF document text
    • http://churchontherockuk.org/home/churchontherock1/public_html/userfiles/files/4557398195.pdfIn PDF document text
    • http://xn----ftbkdcamitb5h.xn--p1acf/files/fck/file/68901026596.pdfIn PDF document text
    • http://radio-salsa.com/php/rs/filesupload/file/34030873106.pdfIn PDF document text
    • http://akcjonariusz.com/UserFiles/file/18934620090.pdfIn PDF document text
    • http://btfa.tw/upload/files/95086510656.pdfIn PDF document text
    • http://ozona.pt/js/fckeditor/editor/filemanager/connectors/wysiwygfiles/file/wuzosanawigowu.pdfIn PDF document text
    • http://coumert.com/images/file/rovubasepifulenopew.pdfIn PDF document text
    • http://lesen-und-schenken.de/userfiles/files/44531961545.pdfIn PDF document text
    • https://volnynaklad.cz/data/file/diwojafozi.pdfIn PDF document text
    • http://bsinteriordesigner.com/userfiles/files/tiwenemew.pdfIn PDF document text
    • http://cp-tournament.org/ckfinder/userfiles/files/karuz.pdfIn PDF document text
    • http://paulgraphics.paulsfashion.in/files/67813099145.pdfIn PDF document text
    • http://ymmicro.com/files/files/29139451783.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/3CAf4wW3hvY/uplcv?utm_term=super+cloud+apkPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e004.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE004 10312 bytes
SHA-256: f6005b8db98d02f45c14cc55efeb36b7f0ac38ed995e6bf086cbb4b3af267785
font_01_sfnt_off0000f75c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF75C 17912 bytes
SHA-256: 173a5e25001ac8b7416439a316f2b3428a2a7ca9d8b2e2629dfd4b5fb258d6f9

Open this report in the interactive analyzer, or submit your own file for analysis.