Malicious PDF — malware analysis report

Static analysis result for SHA-256 030c5134170064d5…

MALICIOUS

PDF

69.5 KB Created: 2021-04-06 06:43:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7183809f90f4ac66adfcf8cfcc60acc4 SHA-1: 1c09b20012e6559da2055fbfc85373718811c70b SHA-256: 030c5134170064d598cca232ca786081eb2ca0df52cb2a90a8f90b54c190ba1e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as a phishing trojan. The file contains a large number of external links, suggesting it is part of a link farm designed to direct users to potentially malicious websites. While no scripts were explicitly extracted, the PDF structure and the presence of numerous URLs indicate a phishing or malicious redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9683

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=fluticasone+salmeterol+davis+pdf
    • https://cdn-cms.f-static.net/uploads/4474987/normal_60177fe5a0d18.pdf
    • https://cdn.sqhk.co/xalesikozip/Sictgel/mobeluxetaxes.pdf
    • https://static.s123-cdn-static.com/uploads/4451019/normal_5fe295e982296.pdf
    • https://cdn.sqhk.co/kafekogi/ofshhgd/78334825093.pdf
    • https://cdn.sqhk.co/kibizatududo/TMge6f2/crossing_jordan_season_6_episode_5_cast.pdf
    • https://cdn.sqhk.co/sedazozesufu/ji2ijBi/96014069745.pdf
    • https://cdn.sqhk.co/wigalefu/heictib/ticket_to_ride_lyrics_fifa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://748e6e98-33e2-4bd1-95aa-01ea3505a154.filesusr.com/ugd/704f6c_6d57a5f03289445082f3e93d5ef5f095.pdf?index=true
    • https://f55c6975-0091-4942-a106-dc80285e5f9d.filesusr.com/ugd/8a4248_1a46d3a2c5b940398d580f0ee7c863cd.pdf?index=true
    • https://caf0f927-206f-4b4e-aa34-0dd3da53679b.filesusr.com/ugd/83d902_f26cd373f1b948e9bcb0641ed5ad5387.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7769580b-ecae-481b-87c4-8f80a6d50138/zilumawujarifajarep.pdf
    • https://uploads.strikinglycdn.com/files/48c123e8-27ad-4215-a240-fa73dfddde93/what_is_heat_class_7th.pdf
    • https://uploads.strikinglycdn.com/files/bb4e0d52-6b6f-476f-bc72-8a72d5050d2d/fatefitukabu.pdf
    • https://s3.amazonaws.com/xakapudakadu/latowosaribawo.pdf
    • https://s3.amazonaws.com/pajeriramal/vopuroletulufekof.pdf
    • https://s3.amazonaws.com/wokesabisevo/craftsman_lt2000_model_number.pdf
    • https://14535e1a-360a-4d01-a655-fa33e115c80e.filesusr.com/ugd/b222ea_67611403f216483f898a2e2f59a5545a.pdf?index=true
    • https://s3.amazonaws.com/gateme/86725083510.pdf
    • https://uploads.strikinglycdn.com/files/cbfd76bd-154a-4b58-ad79-29505033dc0c/what_kind_of_poem_is_neutral_tones.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df77.bin
7d202fca37f06102de2b899ae9210fec13cfffd0472c1b1b84b9e23b1373d743		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF77 5316 bytes
font_01_sfnt_off0000f17e.bin
4b222784aca7abbd30a62947355ba09774d0909ddff38d5c9f5d94ae3719bd6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF17E 10844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.