Malicious PDF — malware analysis report

Static analysis result for SHA-256 03a35650dfcaec4f…

MALICIOUS

PDF

73.5 KB Created: 2021-06-05 17:57:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6d96decf257695156329e0e8ee1d9662 SHA-1: 685dd01587ef10221e7448f3ed426c87f770ad77 SHA-256: 03a35650dfcaec4fc81bcf98aaf513c17ec17148c853e5651b6795da23be727d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a link farm designed to direct users to a large number of other PDFs. The primary malicious URL, 'https://nomylo.ru/pbw?utm_term=lesson+7.1+skills+practice+answers+key+geometry', suggests a lure related to educational content. While no scripts were explicitly extracted, the PDF structure and the high number of external links strongly indicate a phishing or malware distribution attempt, likely leveraging embedded JavaScript for redirection or exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8609

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/pbw?utm_term=lesson+7.1+skills+practice+answers+key+geometry
    • https://senuwisaf.weebly.com/uploads/1/3/4/0/134018119/8725809.pdf
    • https://jumomemokipus.weebly.com/uploads/1/3/0/8/130874307/padadigebup.pdf
    • https://gakazores.weebly.com/uploads/1/3/1/8/131856584/a01d3b0.pdf
    • https://lafupoboj.weebly.com/uploads/1/3/1/8/131857117/wekire.pdf
    • https://cdn-cms.f-static.net/uploads/4470828/normal_602056c2bc8ec.pdf
    • https://ladozazewuse.weebly.com/uploads/1/3/4/0/134095850/7375947.pdf
    • https://turabebusaweni.weebly.com/uploads/1/3/1/4/131438207/jifanoxaferimawo.pdf
    • https://jupelokuxaw.weebly.com/uploads/1/3/4/6/134601506/c93efca.pdf
    • https://static.s123-cdn-static.com/uploads/4455642/normal_5fe3684d9adcf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/93161f31-a810-4ecf-b237-8562392eaf72/maximum_ride_manga_vol_9.pdf
    • https://uploads.strikinglycdn.com/files/b0d12ff7-8f46-49e9-af34-590c5ada4f01/casio_protrek_prw_3000_titanium.pdf
    • https://uploads.strikinglycdn.com/files/0c17dd98-3191-48cc-8f5e-01c4dcab01ad/tigewudutigozu.pdf
    • https://uploads.strikinglycdn.com/files/03dff7de-e1b5-44b2-a07b-c84cace2ef43/firimikasiwagonidal.pdf
    • https://uploads.strikinglycdn.com/files/86bb733b-c96b-482d-87ea-10bf41f9c979/rilubesemuxilatuvuvifudo.pdf
    • https://uploads.strikinglycdn.com/files/121918d2-0b60-4b1d-af93-e8fbe104d34f/nalopugogapojidusore.pdf
    • https://uploads.strikinglycdn.com/files/969dbb64-8fa7-4b59-8b1f-90d73ead8395/nikon_prostaff_rimfire_3-9x40_manual.pdf
    • https://uploads.strikinglycdn.com/files/b97d34ce-c912-4af0-99e2-7557dbb61e53/62051622304.pdf
    • https://uploads.strikinglycdn.com/files/2c37ee64-078b-42dc-a496-417b8a82cee9/command_prompt_commands_windows_10_download.pdf
    • https://uploads.strikinglycdn.com/files/983178ae-d7dc-4578-9048-1493fcbd195a/viposewoniporinaj.pdf
    • https://uploads.strikinglycdn.com/files/0f70297e-adc6-4ce3-8b83-62edf625b89c/97184442355.pdf
    • https://uploads.strikinglycdn.com/files/56fe9f46-acbe-44d7-961c-0bfb220bd055/62092430989.pdf
    • https://uploads.strikinglycdn.com/files/cb02e37f-de67-4a26-9bcc-bb57f1807d13/what_do_the_sirens_offer_odysseus.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef9d.bin
e439ae345cf7fd720eccd6faed48c943c701ed87725a182368bd1161b7a12dab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF9D 5616 bytes
font_01_sfnt_off000102de.bin
1cd0aef37c2e93f13e97e4f9c1666ade467aa7c75fa0ad689f16c0c09c50b201		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102DE 10836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.