Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a019ac2a87484a5…

MALICIOUS

PDF

59.7 KB Created: 2020-12-14 22:47:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5d229b62f54e9f2771faaa7c96081b54 SHA-1: 2ffb4c7377ed30cfe08a66af8af164474ab23072 SHA-256: 1a019ac2a87484a50781ace8d736f361641874fcaad9dc59ca76b29ad44cd38f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a technique often used in SEO poisoning and phishing campaigns to drive traffic to malicious sites. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting an attempt to manipulate search engine results or distribute malware. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious classification. While no scripts were directly extracted, the presence of embedded URLs and the link farm heuristic strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8124

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/strik?utm_term=the+daily+ukulele+pdf
    • https://sowofinonapira.weebly.com/uploads/1/3/4/3/134361296/90600f2e79905.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xuxifuzituwu/vakinozina.pdf
    • https://s3.amazonaws.com/mibiwivanetuj/audio_fx_apk_android_10.pdf
    • https://s3.amazonaws.com/bibejovixapis/66701219023.pdf
    • https://uploads.strikinglycdn.com/files/4fbf6302-7a03-4f51-be40-f4418a42424d/driver_s_education_textbooks.pdf
    • https://s3.amazonaws.com/widofafane/cutting_tools_in_sewing.pdf
    • https://uploads.strikinglycdn.com/files/e8fa48d8-71c5-4f82-a4d6-a8d098e673fb/lifabuguzafi.pdf
    • https://s3.amazonaws.com/kewuxejikiwe/abc_de_l_astronomie.pdf
    • https://s3.amazonaws.com/mesixadelomomo/25503382771.pdf
    • https://static1.squarespace.com/static/5fc109232cf09257bd6ccb44/t/5fc3727da97599144e63fdda/1606644350512/siwederozisowajidudasijob.pdf
    • https://s3.amazonaws.com/woberiz/wagitidajexarilus.pdf
    • https://s3.amazonaws.com/tosevud/cape_cod_fishing_reports_2019.pdf
    • https://static1.squarespace.com/static/5fc0ea1fa8793968640865e0/t/5fc1e11708845d0924ceb46a/1606541592927/idaho_falls_soccer_complex_map.pdf
    • https://s3.amazonaws.com/wikurixobelu/2007_porsche_cayman_repair_manual.pdf
    • https://s3.amazonaws.com/patotale/27389228799.pdf
    • https://uploads.strikinglycdn.com/files/159e8e3d-83ad-4144-af21-af1960712c02/44228493487.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d7a7.bin
ae3bbe3aab2d2ce5a86e7bf8de670e3f41ff12c6c54e9242a136219d06ce1f9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD7A7 4972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.