Malicious PDF — malware analysis report

Static analysis result for SHA-256 0a4cdb3de1ef24fd…

MALICIOUS

PDF

76.3 KB Created: 2021-03-28 16:51:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7fed463926e80dea30b2a11207171804 SHA-1: 76743f302327665e694a365889ce15cad7e66e0c SHA-256: 0a4cdb3de1ef24fde4940e4bcb472014396a169e6ebe825ffc832b8684ef4551
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous embedded URLs, many pointing to disposable hosting, and is flagged by heuristics as a link farm and a malicious PDF. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, suggests a lure related to 'lesson plan templates', likely to trick users into visiting the malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9132

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/award?keyword=weekly+lesson+plan+template+pdf+free
    • https://cdn.sqhk.co/xaxovowupofa/phdfyg4/nicolas_cage_net_worth.pdf
    • http://vogudikomi.getenjoyment.net/alergias_alimentarias_en_nios.pdf
    • https://cdn.sqhk.co/liritefebat/cREjcei/jajon.pdf
    • https://cdn.sqhk.co/girewobo/fVgjgd3/gineniki.pdf
    • http://ruwemipuwev.mypressonline.com/music_guitar_chords_poster.pdf
    • http://pidusejop.medianewsonline.com/kumalegegiturir.pdf
    • https://cdn.sqhk.co/sozaxejiv/CUieji5/empire_hexing_africa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://5071cc05-3fa2-46b1-b944-d2523ca4b51d.filesusr.com/ugd/62e2c1_f3de1964d6b744a8b43f1b032b134004.pdf?index=true
    • http://pagiburisodu.epizy.com/echo_cs_400_review.pdf
    • http://bufizufidubak.rf.gd/6325209497.pdf
    • http://malusamum.rf.gd/59541801122.pdf
    • http://kiderirujefadag.epizy.com/causal_inferences_in_nonexperimental_research.pdf
    • https://uploads.strikinglycdn.com/files/57ea1e72-146a-417c-839a-16f704d6a677/10668330352.pdf
    • https://uploads.strikinglycdn.com/files/79d28ebc-56b8-49d8-91b5-965585e9c544/mupajewozifexepuw.pdf
    • https://uploads.strikinglycdn.com/files/3fa20c16-bfb7-4ed4-9300-817ae201e540/dyson_v7_animal_vacuum_cleaner_best_price.pdf
    • https://s3.amazonaws.com/vofadoloves/rofoputapedagorovise.pdf
    • https://uploads.strikinglycdn.com/files/a66bb439-8a54-45e1-abb4-1d58d53aa3c9/taloxogagewufuzesixob.pdf
    • https://s3.amazonaws.com/gezetega/sodasalezilevebogabit.pdf
    • http://fusupufe.epizy.com/everstart_battery_charger_instructions.pdf
    • https://s3.amazonaws.com/silubebebefuju/the_colour_of_magic_book_online.pdf
    • https://e8f98835-b194-42a5-b43f-fe2f29920dd6.filesusr.com/ugd/bf650e_9b2d320f0b2f41cba11403c4308d1f94.pdf?index=true
    • https://f72b89be-0fa6-41ee-8162-331329ef78ce.filesusr.com/ugd/95089d_d84684526c7442d9a08ea118c8118741.pdf?index=true
    • https://5071cc05-3fa2-46b1-b944-d2523ca4b51d.filesusr.com/ugd/62e2c1_b27f81cebf134dc1862dcb7968eab28e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/56550ece-bf8b-4cdd-8391-cffe7a7ec7c7/is_hansel_and_gretel_2013_on_netflix.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f751.bin
48a9a1b143cf986a5006c5009d58885b6855307eb6c3fa1522daed6dcd5edd87		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF751 5368 bytes
font_01_sfnt_off00010999.bin
cfaba136520a9df0dda0d375d4108ad310f7540c74f203b3c3eb7e6441af46ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10999 11344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.