Malicious PDF — malware analysis report

Static analysis result for SHA-256 16dedae47cfbab99…

MALICIOUS

PDF

110.5 KB Created: 2021-03-18 10:51:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 81fda736648f1c4d53c6b2f2b090890c SHA-1: 8effa3539cb9a4de1d9a7a15a00a7fcd5aa9bdb9 SHA-256: 16dedae47cfbab9913145fd3664d3d69fc4a6ab3435c279e344156e71ee05158
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to PDF files, suggesting a link farm or SEO poisoning tactic. The primary URL, https://vilenefex.ru/award?keyword=what+is+millennium+development+goals+pdf, is designed to appear as a search result. While no scripts were explicitly extracted, the PDF structure and heuristic firings indicate malicious intent, likely to redirect users to phishing or malware sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9622

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=what+is+millennium+development+goals+pdf
    • https://wirazalalotun.weebly.com/uploads/1/3/0/7/130776536/lolenatifurilapipor.pdf
    • http://zitojesudesidaj.22web.org/huffy_nighthawk_mountain_bike_review.pdf
    • https://fesomexipilajuj.weebly.com/uploads/1/3/3/9/133997099/fosonidagerofis.pdf
    • https://cdn.sqhk.co/jenotonolo/mfiia0d/pojotiz.pdf
    • https://cdn.sqhk.co/dibirolinu/qTRiuhd/word_family_activities_for_older_students.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vozekalazasof.rf.gd/25755436590.pdf
    • https://uploads.strikinglycdn.com/files/e34b1d20-841e-4f1a-8e00-b47ecf989d08/37793799386.pdf
    • http://jidodurej.epizy.com/seboj.pdf
    • https://s3.amazonaws.com/rebomedug/woreni.pdf
    • https://s3.amazonaws.com/niwotipugonuvoz/3_alif_lam_mim_720p.pdf
    • https://s3.amazonaws.com/numunenoji/836277151.pdf
    • https://uploads.strikinglycdn.com/files/fa93bd83-8755-41c8-a67b-dc1a294e1c0e/how_to_factory_reset_a_nexus_7_tablet.pdf
    • https://uploads.strikinglycdn.com/files/ccb8673c-cf0e-4908-bb4d-10e17ac4a815/pabufibemezivekim.pdf
    • https://s3.amazonaws.com/venunamazozuzo/skyjack_3219_for_sale_new.pdf
    • https://uploads.strikinglycdn.com/files/3269181d-63d6-4974-bc03-e53c4da2d198/how_to_program_bose_remote_to_directv_box.pdf
    • https://uploads.strikinglycdn.com/files/d2e76ebf-87cd-4fe2-a0f0-2c66f5d7a593/yard_machine_garden_tiller_parts.pdf
    • https://s3.amazonaws.com/tenunud/torosunufogepenipusalozi.pdf
    • https://uploads.strikinglycdn.com/files/ee81564d-5da3-4847-af94-5d40f0c4a6f7/coldest_place_in_usa_today_2019.pdf
    • https://uploads.strikinglycdn.com/files/5379ac16-da8e-44c1-9001-0f68350719cc/como_crear_un_en_word_2007.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00019d83.bin
8b16f099718242a26530b3467dd41347cc839222332f731afe669bfef27815f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19D83 5432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.