Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb0a5271c119c2e9…

MALICIOUS

PDF

63.8 KB Created: 2021-04-10 18:37:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a7eb416994e65c2a3c303bf6737fc29f SHA-1: 38c9f6f6ee8d9b474c91b1613516cd83d676a5df SHA-256: fb0a5271c119c2e9b64ab0c90d2926f2779977a9ecc0c74eff4c410063ccc1c5
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The PDF contains numerous embedded URLs, many of which are structured as link farms, suggesting an attempt to redirect users to malicious sites. While no scripts were explicitly extracted, the presence of embedded URLs and the 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristic indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9519

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://grossenbacher.co.nz/en/system/files/avoidance-training-certificates/3242210986.pdf
    • https://www.natsihwa.org.au/sites/default/files/webform/51762260361.pdf
    • https://www.mothercare.ro/sites/default/files/webform/resumes/jevosofotabotasif.pdf
    • http://klm3fg.grhosting.cz/sites/default/files/webform/files/6948618973.pdf
    • https://www.telluridescience.org/sites/default/files/tstc-applications/dadesiludidogujuta.pdf
    • http://spotlight-sites.com/sites/default/files/webform/loboje.pdf
    • http://cicatsalud.com/html/sites/default/files/webform/39809543560.pdf
    • https://www.termis.org/system/files/webform/776381217.pdf
    • http://russian-ice-spb.ru/sites/default/files/webform/files/69309865186.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/LPIa9PGmDLg/uplcv?utm_term=9.s%25C4%25B1n%25C4%25B1f+palme+matematik+soru+%25C3%25A7%25C3%25B6z%25C3%25BCmleri
    • https://www.ice.cam.ac.uk/sites/www.ice.cam.ac.uk/files/webform/68876097481.pdf
    • https://ubmemeaensoprod.s3.amazonaws.com/ifsec_international/call_for_papers/2021/03/60395266702.pdf
    • https://www.healthdata.org/sites/default/files/resumes/mavesoriv.pdf
    • https://lib.asu.edu/system/files/webform/delibenapu.pdf
    • https://www.healthdata.org/sites/default/files/resumes/18848190838.pdf
    • https://lib.asu.edu/system/files/webform/53252105934.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c286.bin
748e6680b52d450398f2eeb029e821873b13a401166403bad1ce797b9249f813		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC286 5608 bytes
font_01_sfnt_off0000d503.bin
d8913b82921333f2cc414260ade90df947d99cbbfa8165ce6a86b8ffb3e4eec5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD503 11148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.