Malicious PDF — malware analysis report

Static analysis result for SHA-256 1be2a5e91fbe3f07…

MALICIOUS

PDF

66.6 KB Created: 2020-11-10 03:05:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e3a2b26ad5a8b3d032cb3c38723f005d SHA-1: efd1d7dab1e2b8bfc968c82b7ba36cee86ccf798 SHA-256: 1be2a5e91fbe3f07d3dba7f8a90b2d8b2c5a908f9854fd0f6fe532f3e1ae6b4d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, identified as a PDF link farm, suggesting a malicious intent to redirect users to potentially harmful content or for SEO manipulation. The ClamAV detection and ML classifier further support its malicious nature. While no scripts were directly extracted, the presence of numerous external URIs indicates a likely attempt to lead the user to a malicious site, possibly for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6396

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/strik?keyword=mansfeld+middle+school+zip+code
    • https://bavobero.weebly.com/uploads/1/3/4/5/134585538/2bc581.pdf
    • https://cdn-cms.f-static.net/uploads/4383475/normal_5f91d8f190553.pdf
    • https://xibogunef.weebly.com/uploads/1/3/1/3/131398295/binodogotaket_texiku_fejisogalaj_bekamofuga.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xanebavifamopez/53507376847.pdf
    • https://s3.amazonaws.com/jamokaroxoj/zusodazatejawilezegiwav.pdf
    • https://uploads.strikinglycdn.com/files/808cba9f-cfba-437b-bd18-a2dfb3cee364/lixoxusarivexexa.pdf
    • https://uploads.strikinglycdn.com/files/f32c9182-3921-4ffe-8980-60fa04ab7ceb/89563448019.pdf
    • https://uploads.strikinglycdn.com/files/0133a991-ec4e-4fba-82e4-184cb21d0fa6/download_kungfu_panda_2008_sub_indo.pdf
    • https://s3.amazonaws.com/wisuw/bagazawamef.pdf
    • https://uploads.strikinglycdn.com/files/4888c87f-33be-4fe8-99aa-49da5e04afde/66395294913.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cd42.bin
ca18255a644d02869e7e34294c810fbc99a19944294bda17fc49c5dfc99d9d85		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD42 5356 bytes
font_01_sfnt_off0000df67.bin
0a4e12ef7908d35e46701b52d738bd52096ef7a15b16fa45d8756a1a023be913		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF67 10772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.