Malicious PDF — malware analysis report

Static analysis result for SHA-256 212a02aacc1ed911…

MALICIOUS

PDF

61.3 KB Created: 2021-03-15 21:26:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 526db2bdbc021bcd276d00dede24d575 SHA-1: 5ac2c74295a926752a1fe237da2300622b06e048 SHA-256: 212a02aacc1ed9110c276ddce9eb7e2672aebbbdae8e864bc90d75f57274b361
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic firings point to a PDF containing a mass external link farm, with one primary URL being fokemale.ru. The document body, though heavily obfuscated, suggests a lure related to a calendar, likely to trick users into visiting the malicious links. No scripts were extracted, but the presence of numerous external links suggests a distribution mechanism for further malicious content or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9169

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/award?keyword=calendario+2020+con+festivos+colombia+para+imprimir+pdf
    • https://static.s123-cdn-static.com/uploads/4366015/normal_5ff3eb296d4cd.pdf
    • https://foboxujegi.weebly.com/uploads/1/3/4/6/134694162/vozakexerewiwopen.pdf
    • https://luxituwane.weebly.com/uploads/1/3/1/8/131859527/7db3bb856.pdf
    • https://nagipunewemog.weebly.com/uploads/1/3/5/3/135315215/3e1a6.pdf
    • https://cdn-cms.f-static.net/uploads/4413455/normal_603ff6952b730.pdf
    • https://cdn-cms.f-static.net/uploads/4477138/normal_5fd2af8e080a7.pdf
    • https://regasefes.weebly.com/uploads/1/3/1/8/131871592/balava_xajekasagar_jepenekabubetad.pdf
    • https://kibowoje.weebly.com/uploads/1/3/0/7/130775027/c2af20c26f.pdf
    • https://static.s123-cdn-static.com/uploads/4420230/normal_6004a53d8081d.pdf
    • https://nopuwilimo.weebly.com/uploads/1/3/4/4/134490360/37533.pdf
    • https://cdn-cms.f-static.net/uploads/4408720/normal_6029fc00753e9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://0a38098d-26c8-4844-ab0b-2dfc398d7f8d.filesusr.com/ugd/fffd55_4c88bfb6b45b4fcba0f701e1769902f3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/35241785-c822-4b72-bd3a-fe3397740c78/vb.net_interview_questions_with_answers_for_experienced.pdf
    • https://uploads.strikinglycdn.com/files/eae534f5-319d-4a6b-b2b7-7337bb2d6a67/how_to_open_a_sentry_v260_safe.pdf
    • https://b6f97e74-198a-461d-a312-d71b9712332b.filesusr.com/ugd/a2d007_5e624106fefd4a24a8f49cb2fe4ecb22.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f692db58-969f-4764-9de5-540994d8e04a/54762705976.pdf
    • https://uploads.strikinglycdn.com/files/99dacfde-400f-4ac6-abf2-99f80d553409/fozat.pdf
    • https://uploads.strikinglycdn.com/files/689d62fa-a0c9-4c99-b0d2-72365a449382/ff7_remake_guide.pdf
    • https://a39ac558-8fe8-437d-9e10-dc9402d6cb9c.filesusr.com/ugd/1ebe14_b4f5d4b200bf4de98e72ecbad35c14e6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fb65a8d1-c750-4ebf-8b20-26e3a48408fa/honda_izy_carb_gasket_kit_gcv135_gcv160.pdf
    • https://b7f5b04e-b247-49a4-9dc0-39f0c843ec09.filesusr.com/ugd/b56f86_df1e4fd3f76b4450bd61222bf5805281.pdf?index=true
    • https://9a4203bb-6ff2-4ef1-9c63-3f113f84a884.filesusr.com/ugd/ea9bdf_e6bcd6eddfc5494abf1051b25ce6ef93.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ad6ee391-efc0-4fba-9d2a-f1373ed1d927/ernest_hemingway_books_ranked.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e571.bin
504464a2751183b9d283b0a945b545f0fbea7f88d4488b284a1c85f8a9b78d1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE571 5680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.