Malicious PDF — malware analysis report

Static analysis result for SHA-256 1afc9ce32482a1ee…

MALICIOUS

PDF

80.4 KB Created: 2021-03-15 09:50:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10
MD5: 7e3564f1170ad1436a72e3929bbc14b4 SHA-1: e62a966ebb8ba18602c0cd36defa5796ceefdd69 SHA-256: 1afc9ce32482a1ee662a74cee76496657a106691636d297e9682e027ef778a3f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for a 'PDF_SEO_LINK_FARM' which indicates a large number of external links, many of which are likely malicious. The 'ML_NYX_PDF_MALICIOUS' and 'CLAMAV_DETECTION' heuristics further support its malicious nature. The primary malicious URL identified is 'https://maypoin.ru/strik?utm_term=pokemon+sun+and+moon+burning+shadows+card+prices', which is likely part of a phishing or scam campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9714

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/strik?utm_term=pokemon+sun+and+moon+burning+shadows+card+prices PDF link annotation
    • http://bufizuz.22web.org/asure_id_7_free.pdfIn PDF document text
    • http://dapobapi.22web.org/nuclear_power_plant_operation.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/gedexim/behringer_xr16_manuale_italiano.pdfIn PDF document text
    • https://s3.amazonaws.com/xamibudasagas/sovinovuzatetixug.pdfIn PDF document text
    • https://s3.amazonaws.com/wobuzisibal/14779302711.pdfIn PDF document text
    • https://3437305d-a3f4-4f94-9a63-846dd410f5be.filesusr.com/ugd/ffe76b_dd39a50df20943a98611cade537a83f7.pdf?index=trueIn PDF document text
    • https://b9a4c3d6-4ccf-4d04-9b0f-c2e9c357e15d.filesusr.com/ugd/e5cbe5_dee33e05260c4f5a9094292da10d14c2.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/paxivogedewilu/37108223776.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/725ae6f0-fa95-48b2-bef3-9922d1f60d4a/52477864367.pdfIn PDF document text
    • https://s3.amazonaws.com/vuxirefare/album_bts_love_yourself_answer_l.pdfIn PDF document text
    • https://s3.amazonaws.com/bepukuba/getadanoluw.pdfIn PDF document text
    • http://daponub.epizy.com/bmrcl_result_2019_key_answers.pdfIn PDF document text
    • https://bb74f61c-7045-47bf-9a7e-968101ee373e.filesusr.com/ugd/81ef4b_3219172a4e2a4c91af1004c01f822f75.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/b66ba648-365c-4ddc-ad44-68acf59eb265/nopidewubuwuduvet.pdfIn PDF document text
    • https://6129906d-bc82-46a7-99f5-71793a58af3c.filesusr.com/ugd/d162e3_79d461d8423f4aa3b64dfef28046cce6.pdf?index=trueIn PDF document text
    • http://ritipoma.epizy.com/49153111021.pdfIn PDF document text
    • http://redifigikutusoj.myartsonline.com/wisekumeb.pdfIn PDF document text
    • https://777dd155-384c-4f1d-a337-8f27b94bb056.filesusr.com/ugd/1ecdae_35463cd7633e4577bd8340d64908a5e1.pdf?index=trueIn PDF document text
    • http://pulutugorivexek.atwebpages.com/alternative_dispute_resolution_definition_and_examples.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010db6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DB6 5752 bytes
SHA-256: bc1f879cf035ed0a68c8132c2094bba91dda2ba1f1ad5d1babf394f120a0d883
font_01_sfnt_off0001212f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1212F 11768 bytes
SHA-256: c832f06594df197062455a56dafc27b8a34fa489850a274efa59f9b190415a4a