Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed473df92e1fef40…

MALICIOUS

PDF

131.7 KB Created: 2021-03-16 22:12:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: a3421112dc932fe2d6d52d2266ded18e SHA-1: 4ba0cc6bf3cc81b3afe2633f150de65f3e96b6b2 SHA-256: ed473df92e1fef400d6cabf86fa647b5fada63aaf7643b802b9de3f35da43327
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many pointing to disposable hosting, and is flagged by heuristics as a link farm. The ClamAV detection and ML classifier indicate malicious intent, specifically identified as Pdf.Phishing.Trojan. The document body, though heavily obfuscated, suggests a lure related to store closures, likely intended to direct users to malicious websites for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=list+of+kmart+stores+closing+in+2020 PDF link annotation
    • http://detonic-romania.website/47266642635zs5xn.pdfIn PDF document text
    • http://copyright-central-media.com/bojuvipisovoxupasoxowe6bcas.pdfIn PDF document text
    • http://meblik.su/86497594730vk5la.pdfIn PDF document text
    • http://rawenspant.online/onlyfans_sem_pagard7n94.pdfIn PDF document text
    • http://paypallsecurity.com/xuzetozamopudirawipozuc5y82.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://167c2301-eccc-4e3a-a609-38a4f17b9bf8.filesusr.com/ugd/b1dabf_028c9a7fed2c4355a88e62d711f32be3.pdf?index=trueIn PDF document text
    • https://0dd4521b-3e41-4083-9bcc-807cce03ae78.filesusr.com/ugd/cfe2e9_3fe55a3fafa14e6b8ca9250c6d390917.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/6e3028aa-00ee-4045-9c51-fdae5bf8792d/28910808760.pdfIn PDF document text
    • https://d19688e0-347f-4d9d-8cb3-d47c6e049f3d.filesusr.com/ugd/c618e9_f7b2a7cfb52d472eaadc55a7bb32d275.pdf?index=trueIn PDF document text
    • https://c183b790-cb34-49aa-848e-1a9f2b14dda3.filesusr.com/ugd/d8966e_47be99c0957f447faa02e1b646a1bd3e.pdf?index=trueIn PDF document text
    • https://a179b4bb-f9e1-4b0b-8685-f881d2afde68.filesusr.com/ugd/0fdb6d_8e2621f4731243acaef82a7956cfdc8d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/9e9267c4-4e55-4ac9-a36d-e2ab0ce61955/werevuxobikijonutodo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a697ad81-adcd-48f7-b5f0-7479c6f4a1e2/30_day_green_smoothie_challenge_results.pdfIn PDF document text
    • https://0bc2ebcf-5b85-435c-8290-6c6350a165f2.filesusr.com/ugd/ee98f5_901b343f4fe84bb2bbab82a0b3e541ba.pdf?index=trueIn PDF document text
    • http://jebavonorimu.rf.gd/what_are_the_8_routes_of_drug_administration.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/88acd035-cdf2-4750-83fe-f38f78e5d8a5/ball_python_snake_breeds.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f30a6eb8-d084-4f43-8bbe-38b993b822f0/kenwood_kvt-516_reset_button.pdfIn PDF document text
    • https://7915398d-c9c2-4241-abdb-40cf742e4b8d.filesusr.com/ugd/d4df0f_3abb70d3ccfe4186908e55738a5b8b29.pdf?index=trueIn PDF document text
    • https://042e50b4-45d0-4577-915a-c14d43ab21ad.filesusr.com/ugd/18f527_551eedae87624f7abe460cfb914079de.pdf?index=trueIn PDF document text
    • http://tevufom.epizy.com/cause_and_effect_diagram_visio_template.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f9f8566a-0e94-4c79-a6c6-70af89328736/g_shock_watch_battery_life.pdfIn PDF document text
    • http://dowirefe.rf.gd/tigukuxulujolageka.pdfIn PDF document text
    • http://derizarage.epizy.com/90505907143.pdfIn PDF document text
    • https://7ef7ebf0-bcb0-4ca2-8538-5a19c3e9f01c.filesusr.com/ugd/aff7ca_1dde99cd81194f6c9c97cf5e2d3d665e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/1ce1fc85-b10a-4a7c-89b1-810d2dba0014/linear_and_non_linear_data_structure_ppt.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001a174.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A174 5268 bytes
SHA-256: 08023a9c886ccf7575a83ac9c6ed0d0dcdcb27eaa88a2a89b0aff0aaecde64c5
font_01_sfnt_off0001b340.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B340 12508 bytes
SHA-256: 4876da3999b761753f5f839c50a12388d36ff3e9eb49dd2a90ebf4f7df5da34c
font_02_sfnt_off0001dd7c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1DD7C 16060 bytes
SHA-256: 5b0d2701ab39d2f69c66d7d16c60d8db0b323aa0832947137e757b5401d27330
font_03_sfnt_off0001f214.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F214 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3

Open this report in the interactive analyzer, or submit your own file for analysis.