Malicious PDF — malware analysis report

Static analysis result for SHA-256 fdec447b696ce103…

MALICIOUS

PDF

75.7 KB Created: 2021-04-07 09:26:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: 3f8ca5969a4de3b8eb68a61fb1f9ada6 SHA-1: 1fed021450062959257f0a9b908298658f3b818f SHA-256: fdec447b696ce103d0da0788fb61d64e94909ba5e74467e210bb128fb03e8654
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF document flagged by multiple heuristics as malicious, including a critical finding for linking to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text related to product reviews, suggesting a lure. The numerous embedded URLs point to disposable domains, indicating a phishing or scam campaign aimed at users searching for product information.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=conair+extreme+steam+handheld+reviews In PDF document text
    • https://cdn.sqhk.co/tozegatopaxu/jdrgj3s/nezelakofu.pdfIn PDF document text
    • http://xagelofitu.22web.org/guzinapiz.pdfIn PDF document text
    • http://zukilobuzoroko.66ghz.com/bojijubizi.pdfIn PDF document text
    • https://cdn.sqhk.co/xanovixewin/gjlgdhc/formula_racer_2_unblocked.pdfIn PDF document text
    • https://cdn.sqhk.co/pemanunid/eih0gdO/25448389107.pdfIn PDF document text
    • https://cdn.sqhk.co/vefusujix/gd6SLXR/auto_spare_parts_in_japan.pdfIn PDF document text
    • https://cdn.sqhk.co/gipekoma/aqjaibA/11374001050.pdfIn PDF document text
    • http://mxbur.fun/alamy_stock_freec506h.pdfIn PDF document text
    • http://reduslim-eu.site/reparto_de_la_pelicula_el_rey_del_tomate9avbe.pdfIn PDF document text
    • https://cdn.sqhk.co/sabumijobude/iVrhgMr/jexerowatokagagavixume.pdfIn PDF document text
    • https://cdn.sqhk.co/menasimax/hcgfrgj/91749640480.pdfIn PDF document text
    • http://sis-paypal.com/golofopowotodipurppk70.pdfIn PDF document text
    • http://alternativeinfluencenetwork.net/the_conversion_code_chris_smith_downloadqu8pv.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/16992694-8d23-4592-9d40-c62a20056247/gatajudawefobuz.pdfIn PDF document text
    • http://xomupap.rf.gd/soundcraft_ui24r_app_android.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e69ca880-d13e-4e25-a3c7-dd784bba8e8e/furukuvanewopafosuxi.pdfIn PDF document text
    • http://wupumod.rf.gd/vadopepi.pdfIn PDF document text
    • http://xelilurezo.epizy.com/cablevision_tv_guide_long_island.pdfIn PDF document text
    • https://s3.amazonaws.com/dogazisuze/lee_valley_camera_lucida_review.pdfIn PDF document text
    • https://s3.amazonaws.com/tapexiw/windows_10_update_1803_iso.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebc5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBC5 5188 bytes
SHA-256: 647526180b63e68941aa98a52b88e3c8e785400ca9c593417fd3dcb3cf6e7147
font_01_sfnt_off0000fd50.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD50 10508 bytes
SHA-256: 2d27efa90d151f8db75bb556aa1f259617e99568eb8e58365f319120fb2ed6d2