Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a1ffb52ff26bd61…

MALICIOUS

PDF

77.5 KB Created: 2021-03-20 16:28:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04f0be201fae92f0d45736f568e4cf16 SHA-1: 056b11df539bc600c4a7d375cff8081e57b57261 SHA-256: 1a1ffb52ff26bd6164cdb5cc3a79532de4817a17407236c056d2a4f50869b419
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for link farms and phishing campaigns. The ClamAV detection and ML classifier indicate malicious intent, likely related to phishing or distributing further malware. While no scripts were explicitly extracted, the PDF structure and embedded URIs suggest it's designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7190

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=hubbard+broiler+management+guide+pdf
    • https://dixatuwep.weebly.com/uploads/1/3/5/3/135398053/tatekelelidemag.pdf
    • https://cdn-cms.f-static.net/uploads/4381735/normal_602aca9e83ae9.pdf
    • https://static.s123-cdn-static.com/uploads/4487918/normal_600030b85be1c.pdf
    • http://xtrading.buzz/chicco_bravo_stroller_wont_foldx50vd.pdf
    • https://cdn-cms.f-static.net/uploads/4530868/normal_5fd6790606eb9.pdf
    • http://verifedform.com/66297034276cq48s.pdf
    • http://tasigezagu.scienceontheweb.net/3959887065.pdf
    • https://cdn-cms.f-static.net/uploads/4451365/normal_603cb25327385.pdf
    • http://fupemagis.mywebcommunity.org/is_nj_transit_monthly_pass_round_trip.pdf
    • https://cdn-cms.f-static.net/uploads/4403804/normal_604f2ec0dc6b1.pdf
    • https://cdn-cms.f-static.net/uploads/4377380/normal_603cfa757e019.pdf
    • https://cdn-cms.f-static.net/uploads/4465393/normal_601f055d46232.pdf
    • https://dafepigog.weebly.com/uploads/1/3/4/6/134605944/wezazadofu-lelowasedutol.pdf
    • http://raxejudesezix.scienceontheweb.net/42521063635.pdf
    • http://fridgeservice.ru/can_i_use_my_roku_stick_without_the_remotehi29l.pdf
    • https://static.s123-cdn-static.com/uploads/4417406/normal_60026799d5285.pdf
    • https://zowotojezef.weebly.com/uploads/1/3/4/3/134330732/1af35e4b1.pdf
    • http://mybestchan.online/9235668050244r2w.pdf
    • https://cdn-cms.f-static.net/uploads/4461216/normal_6028a26aee864.pdf
    • https://static.s123-cdn-static.com/uploads/4387226/normal_5ff107bfc334a.pdf
    • https://static.s123-cdn-static.com/uploads/4367294/normal_600058702b7a3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb7e.bin
3267da4a0ac12acb5dd1429d4493c7a130e98646798acc2cd8a068d68433bc92		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB7E 5168 bytes
font_01_sfnt_off00010cee.bin
c3d1bdfdffaeaf6437c4b2252245e7cb8b43ea33bf5998928fe6d43a22f75982		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CEE 11708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.