Malicious PDF — malware analysis report

Static analysis result for SHA-256 1407beb460cabb7d…

MALICIOUS

PDF

110.5 KB Created: 2021-03-10 11:43:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 6f1b54063fea6e10c7753b4ea5976494 SHA-1: ca25d8e18e2f1b06465d1992e977999ed61eb796 SHA-256: 1407beb460cabb7d23698cd04b06417c4b9b2f08dd9ef41795f708d62b45d067
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier. It contains numerous external links, including one pointing to 'https://golowaki.ru/award?keyword=atrocities+act+in+marathi+pdf', suggesting a link farm or phishing attempt. The document body, though heavily obfuscated, contains metadata indicating it was generated by wkhtmltopdf, a tool often used to create SEO-optimized PDFs that can serve as lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8677

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/award?keyword=atrocities+act+in+marathi+pdf PDF link annotation
    • https://cdn.sqhk.co/ninuxoti/5hj5iiz/residual_formula_calculator.pdfIn PDF document text
    • https://cdn.sqhk.co/xulawajikigi/ghbUWUL/97275725327.pdfIn PDF document text
    • https://luwimejimidilen.weebly.com/uploads/1/3/4/0/134040945/9cef8d.pdfIn PDF document text
    • http://datidino.iblogger.org/pigizototoxepetiji.pdfIn PDF document text
    • https://cdn.sqhk.co/gujowaxexag/bhdjfje/sonapofujoweg.pdfIn PDF document text
    • http://faxozulakevosos.iblogger.org/horace_silver_lonely_woman_sheet_music.pdfIn PDF document text
    • https://tapidokebijimub.weebly.com/uploads/1/3/4/5/134577153/zamisomomim-mevewibe-sifakavimoj.pdfIn PDF document text
    • https://cdn.sqhk.co/vusopukov/jaig4gj/brand_management_definition_in_advertising.pdfIn PDF document text
    • http://wamijuw.22web.org/alan_watts_audio_books_free.pdfIn PDF document text
    • http://siduwukalupi.22web.org/supejeka.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/kavalukato/92798484.pdfIn PDF document text
    • https://s3.amazonaws.com/sixenogafopoj/senebuvulesosulefimere.pdfIn PDF document text
    • https://s3.amazonaws.com/tojabixefova/40738323746.pdfIn PDF document text
    • https://s3.amazonaws.com/befafuni/82677505216.pdfIn PDF document text
    • http://betupaxomivokab.epizy.com/equity_company_balance_sheet.pdfIn PDF document text
    • http://zevovalik.epizy.com/84085356998.pdfIn PDF document text
    • https://s3.amazonaws.com/somamere/pensar_la_arquitectura_peter_zumthor_descargar.pdfIn PDF document text
    • http://wexugemo.epizy.com/riruwumab.pdfIn PDF document text
    • https://s3.amazonaws.com/tokatefozude/fusopizuvejerukelutos.pdfIn PDF document text
    • http://jatomije.rf.gd/79063431531.pdfIn PDF document text
    • https://s3.amazonaws.com/vikukinumet/ablerex_ups_software.pdfIn PDF document text
    • https://s3.amazonaws.com/tozaduliwubega/jekajebibunasogiwowo.pdfIn PDF document text
    • http://rufizugo.epizy.com/41477796413.pdfIn PDF document text
    • http://mafolizol.rf.gd/24748954699.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001846c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1846C 5352 bytes
SHA-256: a26fe2026e0f06fb069139781eecb1e900d2c2f006e2c7b8b5478cc421b93a02
font_01_sfnt_off00019675.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19675 10348 bytes
SHA-256: a3df26caf157e305e6aa6fc266054eeb09c4d64f37712901627fab2d72122ce3

Open this report in the interactive analyzer, or submit your own file for analysis.