Malicious PDF — malware analysis report

Static analysis result for SHA-256 04c559335d40b2c7…

MALICIOUS

PDF

74.9 KB Created: 2021-03-26 07:08:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7d853bdc04a3a6ad001bd2a97edaa38f SHA-1: ced72bf88542bd2270245b2fe12c9c1ed9281877 SHA-256: 04c559335d40b2c78fad8175d44428a1707de370652f28316c9593f889b37d62
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to link farms and potentially malicious domains, indicating a phishing or malware distribution attempt. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly supports this. While no scripts were explicitly extracted, the presence of PDF_URI and PDF_SEO_LINK_FARM heuristics suggests the document is designed to redirect users to malicious content hosted on external sites.

Machine Learning

  • Nyx PDF Classifier clean score 0.1217

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wix?keyword=clearasil+ultra+rapid+action+pads+review
    • https://cdn.sqhk.co/wojusipi/hxijDjj/tournament_maker_app.pdf
    • https://jedadizonavo.weebly.com/uploads/1/3/4/7/134721040/jiwogujekemol-xuvixevaru-verurilil-xujupob.pdf
    • https://cdn.sqhk.co/kivipemo/gciihgY/luzelak.pdf
    • https://cdn.sqhk.co/sevijeruba/ha7gQhN/how_to_draw_a_wolf_head_easy_youtube.pdf
    • https://cdn-cms.f-static.net/uploads/4403960/normal_6029d424a4d38.pdf
    • https://sadavofabuloxus.weebly.com/uploads/1/3/5/3/135316226/rupeduturowapow.pdf
    • https://cdn-cms.f-static.net/uploads/4370989/normal_5fd67873b87f1.pdf
    • https://wigobozigor.weebly.com/uploads/1/3/5/3/135345973/a32380.pdf
    • https://tatisosef.weebly.com/uploads/1/3/5/3/135333589/xukemelemo_domosab_sefabu.pdf
    • https://cdn-cms.f-static.net/uploads/4446502/normal_603956b238b52.pdf
    • https://paxituzupinemof.weebly.com/uploads/1/3/5/3/135303349/bedexulojararikef.pdf
    • https://wudizabilizone.weebly.com/uploads/1/3/4/7/134745746/9e48ecd.pdf
    • https://lufumapapolag.weebly.com/uploads/1/3/4/3/134353855/3ebdcb3b.pdf
    • https://cdn-cms.f-static.net/uploads/4475217/normal_60163ca770ede.pdf
    • https://gotitodurafa.weebly.com/uploads/1/3/4/3/134351762/wojozazela_bojikib_pofiguj_banupeteti.pdf
    • https://katifakemu.weebly.com/uploads/1/3/1/3/131381151/8233119.pdf
    • https://cdn-cms.f-static.net/uploads/4372740/normal_602477b0c1b50.pdf
    • https://rajidorux.weebly.com/uploads/1/3/1/4/131453086/f024a8c5ffc50c.pdf
    • https://cdn-cms.f-static.net/uploads/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/bojafazes/21062466269.pdf
    • https://s3.amazonaws.com/lupuvogotog/how_to_use_long_aid_curl_activator_gel.pdf
    • https://d23eb412-52e1-45ef-a32a-0c032022daee.filesusr.com/ugd/03485a_f0e6bad28cc2423291ddbc0cfd23d76c.pdf?index=true
    • https://1923692e-f727-4f58-80a8-3583160180e3.filesusr.com/ugd/c4ccc4_12c46e7ac53d47cf92e21003b170da21.pdf?index=true
    • https://a1359116-1358-4cde-afc5-3600b4bb50db.filesusr.com/ugd/3b0c81_f8630ce13d5f47e7bee72a938d864b0d.pdf?index=true
    • https://9907981b-0bc7-4fd3-a434-169f7cdadf42.filesusr.com/ugd/575363_e351cb8af9f94fda9fd98b396da01534.pdf?index=true
    • https://s3.amazonaws.com/tupofelasujewas/hp_layer_3_switch_configuration_guide.pdf
    • https://s3.amazonaws.com/tuxalowafokuvo/57172844191.pdf
    • https://s3.amazonaws.com/fedure/similes_and_metaphors_worksheet_for_4th_grade.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed7a.bin
7beba44d06fd760473b49478cff6e51454ff6ff3a14ba67da33c94422afcd0b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED7A 5124 bytes
font_01_sfnt_off0000ff05.bin
64ceab2e7f13f722e07e868332b0f21fff591864176a09b0b9933a2d29df569d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF05 11676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.