Malicious PDF — malware analysis report

Static analysis result for SHA-256 02e862860360b096…

MALICIOUS

PDF

79.1 KB Created: 2021-03-23 16:30:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b313e8e5120d10d7b1fd218f3be2a391 SHA-1: 001d499fafc8377b0c01e7c7b06c8723680d33aa SHA-256: 02e862860360b0963f1107ca616aa22b884a7afbe358ad63803fba5349976069
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded URLs, many of which point to disposable domains or link farms, suggesting a phishing or redirection attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a phishing lure designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8358

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=betrayal+at+house+on+the+hill+errata+pdf
    • http://wagumoba.iblogger.org/atlas_copco_compressor_parts_dealers_in_india.pdf
    • https://cdn.sqhk.co/rogapakaler/hhriaig/solar_system_scope_app_download.pdf
    • https://cdn.sqhk.co/navififoro/jYLhfjg/1868589978.pdf
    • https://cdn.sqhk.co/gobuwovuv/7tTrTy2/9157999336.pdf
    • https://cdn.sqhk.co/jaselavujuwi/dHgdlhf/pepotesuluwegakotijatozuw.pdf
    • https://static.s123-cdn-static.com/uploads/4491155/normal_5ff773c959a3f.pdf
    • https://cdn-cms.f-static.net/uploads/4426267/normal_5fda47cfb8792.pdf
    • https://cdn-cms.f-static.net/uploads/4368468/normal_5fdaef87636da.pdf
    • https://cdn.sqhk.co/zimopiroxab/5gihgpk/bearded_dragon_care_book.pdf
    • https://cdn-cms.f-static.net/uploads/4449616/normal_6053602564171.pdf
    • https://cdn.sqhk.co/xafiguzi/jfgjbry/32625610894.pdf
    • http://miwukewemiko.22web.org/46638577078.pdf
    • https://static.s123-cdn-static.com/uploads/4386079/normal_5ffcd59040bb8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/gotenukevepunin/first_grade_math_intervention_worksheets.pdf
    • http://fejusudoboriduf.rf.gd/56093609032.pdf
    • https://s3.amazonaws.com/fipijife/99313740000.pdf
    • https://uploads.strikinglycdn.com/files/7c33b683-228b-4820-a410-b55545e01388/hp_printer_5610_ink_cartridges.pdf
    • http://vagaxalelevirot.epizy.com/periodic_table_aqa_a_level.pdf
    • https://s3.amazonaws.com/vatosolikijike/chiyoda_watch_winder_instructions.pdf
    • https://uploads.strikinglycdn.com/files/ba2a0545-b867-4b87-a2d1-8a1afa407066/how_hard_is_it_to_learn_egyptian_arabic.pdf
    • https://uploads.strikinglycdn.com/files/bbba65f5-9c0a-4197-a872-68545da815b7/stopping_by_woods_on_a_snowy_evening_appreciation.pdf
    • http://zafizowi.epizy.com/bepedali.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f472.bin
5686ddc6cf94ddd167ad7f5686c8c04c2f5128469f0763a8f8262a9f7e5d964f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF472 5164 bytes
font_01_sfnt_off000105f4.bin
b51eac3ccb06b29a138b7e071450561cbf6bfbabb20aa24e55831031163a2860		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105F4 2636 bytes
font_02_sfnt_off0001112b.bin
1d2ca450dd5a80f16fa2327289901dda671e72dad64993f142810683345323e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1112B 10488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.