Malicious PDF — malware analysis report

Static analysis result for SHA-256 f37f9b2eff3829af…

MALICIOUS

PDF

80.9 KB Created: 2021-03-31 12:32:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0b1e6ca174448396e19db0ff0288c230 SHA-1: 76fe0fd4239be23d566e7ad4b3ebab734a6b599c SHA-256: f37f9b2eff3829af91ae69a7f7ab4475378d7bfc4984c0435e01a33948afde6f
206 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many hosted on disposable domains, suggesting a link farm or phishing lure. The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of embedded URLs and the heuristic 'SE_CALLBACK_LURE' suggest the document is designed to trick users into clicking links that could lead to credential harvesting or malware downloads, possibly disguised as support or billing-related content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=bt+home+hub+5+type+a+manual
    • https://fuwelobuzade.weebly.com/uploads/1/3/4/6/134649994/wakipedafofakozawud.pdf
    • https://magojumenuta.weebly.com/uploads/1/3/4/3/134361537/galovewi.pdf
    • https://teworovesub.weebly.com/uploads/1/3/0/7/130775402/jagaf.pdf
    • http://letnesil.xyz/giropanotoximigopib.pdf
    • https://vavaxomutiposev.weebly.com/uploads/1/3/0/7/130738712/2191674.pdf
    • http://vawadofofasip.getenjoyment.net/apostila_alimentao_saudvel.pdf
    • http://boketizabujig.scienceontheweb.net/adultery_paulo_coelho_english.pdf
    • http://wegoradubi.sportsontheweb.net/la_mujer_en_el_budismo.pdf
    • http://kogemotuju.getenjoyment.net/magick_liber_aba_aleister_crowley.pdf
    • https://ginuwedisifixel.weebly.com/uploads/1/3/4/7/134744372/964ba5f0041.pdf
    • http://honbiz.pro/the_bell_jar_sylvia_plath_download2u5de.pdf
    • http://vojemodipu.sportsontheweb.net/viguranakavagagunakaraded.pdf
    • http://lusolakidareve.mywebcommunity.org/what_are_the_main_characteristics_of_liberalism_and_realism.pdf
    • https://babibuxa.weebly.com/uploads/1/3/5/3/135302477/feviribivovusal.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://ac402fee-74f4-49a6-b5a4-6a03c6a057de.filesusr.com/ugd/b0cd75_9181f09fc8c44f5191cbacdc74b52c02.pdf?index=true
    • https://b81e1767-bb0d-4562-9f98-cfef66859bb1.filesusr.com/ugd/b48b60_479ffaf5954d41cbae9a9d645e6b5d1f.pdf?index=true
    • https://e79dab91-b8ca-4f03-a7cf-74564eaa1d8a.filesusr.com/ugd/009cd4_d22d8ec04e9a4175a324bf93afc7a807.pdf?index=true
    • http://perexuwofogefo.onlinewebshop.net/best_resistance_bands_uk.pdf
    • https://78905da9-dd21-4190-abaa-c894c042e703.filesusr.com/ugd/851c7c_ef0d52a5b1954eb28558501abfd893c3.pdf?index=true
    • http://fikelamizogu.myartsonline.com/asme_b31._4_free_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f19b.bin
1f4076edfdf2b315ab0f51486f43fde62608dc2499ffb16086ae212634177eb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF19B 5036 bytes
font_01_sfnt_off0001029f.bin
27842ccc576e4af376139768fed073baa950de221a37964362d9c55bab633f3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1029F 10992 bytes
font_02_sfnt_off0001285a.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1285A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.