Malicious PDF — malware analysis report

Static analysis result for SHA-256 097eb40b59906b98…

MALICIOUS

PDF

88.6 KB Created: 2021-03-12 09:29:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 70de6170d3b46ca60beaa4e3cea603b2 SHA-1: e1f5c651923dfe4c0f3a4fc2be796e05365d108c SHA-256: 097eb40b59906b98b06e437ea154bb55c992e26fa78c196247d99839714186fe
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one prominent URL pointing to a site that appears to be part of an SEO spam or phishing operation. The ClamAV detection and ML classifier also indicate malicious intent, specifically classifying it as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded links suggest an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6393

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=kebudayaan+jawa+timur+pdf
    • http://idealica-it.website/botonagotoromozejskkr.pdf
    • https://static.s123-cdn-static.com/uploads/4408476/normal_6007bbc052afc.pdf
    • https://static.s123-cdn-static.com/uploads/4528959/normal_5ff1dd0544cbf.pdf
    • https://static.s123-cdn-static.com/uploads/4446166/normal_6001e9db38c17.pdf
    • https://static.s123-cdn-static.com/uploads/4366623/normal_5ff15ac0d7440.pdf
    • http://habercigo.com/637084067580pd6.pdf
    • http://bestunew.xyz/289081838142wqkd.pdf
    • http://creditactive.info/tonupereuswdt.pdf
    • https://cdn-cms.f-static.net/uploads/4376354/normal_601848a6c7c94.pdf
    • http://arthromedro.xyz/organigrama_empresa_definicionkokn9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f6ce3cfb-f922-470c-9e0e-eaf724001b0e.filesusr.com/ugd/defcb2_7500dcfea2e84347bb1c333dadc1162a.pdf?index=true
    • https://s3.amazonaws.com/fejenijovekozu/1988_evinrude_9.9_parts_diagram.pdf
    • https://e055bcc9-c4f1-4c6c-8dcb-0912bf54750f.filesusr.com/ugd/b4a829_2f1642a9dc2847e19ee23848491db062.pdf?index=true
    • https://4b523d79-2bc6-404f-8e52-0acae4d2cb03.filesusr.com/ugd/fe1b41_ea33d37e402e4a03b96bae8d8ca48e4d.pdf?index=true
    • https://be08d7d4-326a-4801-be9d-4496af17a43b.filesusr.com/ugd/d31907_d479b2d1c6304f8bb2989f3676118b81.pdf?index=true
    • https://1ce8651a-bfbb-4b9a-b1bf-24b3b574775a.filesusr.com/ugd/ac72e0_1760166a5cdc4a36b060c7044e629c42.pdf?index=true
    • https://a694a867-b0fa-45cd-b082-7f9abf80b1a7.filesusr.com/ugd/430cb2_82df14ac2c074ea29eeea849af06436c.pdf?index=true
    • https://s3.amazonaws.com/dibedamoka/what_is_the_purpose_of_guidance_documents_radiography.pdf
    • https://67dec473-0a9c-497c-80b1-62a4c84c5046.filesusr.com/ugd/0aab01_1651c690ba544fd0b4edfa3e225fee8b.pdf?index=true
    • https://012a8781-80b6-4d33-8f63-56d56ef93f15.filesusr.com/ugd/6d3794_ed06e838a8b4442fa9adcbd1ac5d835d.pdf?index=true
    • https://55d63786-14d6-44de-84d0-33f1fb383c44.filesusr.com/ugd/45fd81_f7659eb87c44412480c38065cfa26f90.pdf?index=true
    • https://709e7e89-b264-4d73-b757-064736ed86f1.filesusr.com/ugd/f523c3_a2cc7ab5be1a4aa1b38bf8c9184a86e0.pdf?index=true
    • https://7605d98d-8b17-4a41-9383-f5c8d5af9bcc.filesusr.com/ugd/2bed4c_4db8058a384b47008ffe9794e6db82e0.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001304f.bin
70e3e8485161bb34551e43e05b908730b708bd8595907a1e688ca0ff1ef7e22b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1304F 5356 bytes
font_01_sfnt_off0001428a.bin
19d8c4edf8db47df25a8e79c199558c99ffc372fb7bff8ccfe8a177e0dcc90e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1428A 10320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.