Malicious PDF — malware analysis report

Static analysis result for SHA-256 01c9100ffafc814d…

MALICIOUS

PDF

73.6 KB Created: 2021-03-26 10:30:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8f4b5af69421ec52d3e34aad1af1a821 SHA-1: 92bcbf6bf44717329df10fa6a2beadf7d56c0772 SHA-256: 01c9100ffafc814dd97ad33655e4f8b594ecd7e782691585a780ea15bc9744d8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious content. It contains a large number of external links, many of which appear to be part of a link farm designed to improve search engine rankings, with one prominent link leading to 'dafemum.ru'. The document body, though partially corrupted, suggests a lure related to 'certified ethical hacker full course pdf ceh v9', likely intended to trick users into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8896

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=certified+ethical+hacker+full+course+pdf+ceh+v9
    • https://fofagova.weebly.com/uploads/1/3/4/3/134313529/8151928.pdf
    • https://garimawenipasad.weebly.com/uploads/1/3/4/5/134595154/7411491.pdf
    • https://leniwexobopusez.weebly.com/uploads/1/3/4/7/134713406/tejipoxep.pdf
    • https://static.s123-cdn-static.com/uploads/4454164/normal_5ffe177ca532e.pdf
    • https://cdn-cms.f-static.net/uploads/4450746/normal_6041c267b5384.pdf
    • https://cdn-cms.f-static.net/uploads/4379726/normal_60477c7be2d49.pdf
    • https://xuwomiber.weebly.com/uploads/1/3/0/9/130969046/guron.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/454a5fbc-a801-4760-a3a4-59261204fedd/starcraft_2_units_protoss.pdf
    • https://8ecf7690-1f99-4e28-a4b6-3228ba9731d7.filesusr.com/ugd/63d3ad_7bb655ec2ad343c9b83326ff2423e04b.pdf?index=true
    • https://ad9e3d1f-bb22-46ca-892e-b6aa3325a756.filesusr.com/ugd/837d34_1be903c939094c0ab9eff537da3fbc75.pdf?index=true
    • https://6eed613e-cbae-405e-b458-9655ef9033f8.filesusr.com/ugd/e4f6f0_f698937faa6c4cfda10aef7f5166e329.pdf?index=true
    • https://b6c9d0de-81a1-4db9-ab7d-8a95af9e63d6.filesusr.com/ugd/b28ae2_959a766c239d4dd68deed1ef19242b1d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8c14ba2b-954c-41e7-957c-77ef26cd6ac2/onkyo_tx_sr705_factory_reset.pdf
    • https://uploads.strikinglycdn.com/files/985fe894-b8f9-4b5b-8370-2458a556ebf3/is_grilled_teriyaki_chicken_from_panda_express_healthy.pdf
    • https://uploads.strikinglycdn.com/files/353009a7-0ff6-47c4-82d5-df7046a2b34d/jevalis.pdf
    • https://uploads.strikinglycdn.com/files/fb05c353-a34d-4300-a009-a7a99bfbe8c8/how_to_start_self_clean_ge_oven.pdf
    • https://7f3dc8b3-869c-44c5-82eb-14ae88d57796.filesusr.com/ugd/dc4ca1_a641e60d367e4109b1394aea5dab48d7.pdf?index=true
    • https://bc260b4e-efc2-469d-9102-9c7234992d76.filesusr.com/ugd/b1b3ad_b526d7e623ce428e92650b1a03e0d1ed.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9b1373c9-9d8e-4c74-8914-8874d1d37407/eureka_the_boss_superlite_16.0_model_402_manual.pdf
    • https://uploads.strikinglycdn.com/files/1a0b0a9e-99e4-4fd0-a8c0-7ec74ba3bb8a/31081506682.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e217.bin
09dd7535d651f847d445ac23be5a9710e0116086b5dd51300f0428857020b4ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE217 5324 bytes
font_01_sfnt_off0000f44c.bin
2a135fc9a74aabac537897752d1d32118485a2e74edce6f23e18b8fdfd86e149		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF44C 11396 bytes
font_02_sfnt_off00011b21.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B21 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.