PDF malware analysis — malicious · 24a85cea640e0000

MALICIOUS

PDF

64.0 KB Created: 2021-03-24 06:54:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: e0a2e78ff60fd0f2776c6cbea313ec12 SHA-1: 9272839b00c4c0a15168875a553bd37c35883ce6 SHA-256: 24a85cea640e000056c4ac5015d8bb1fdaa6751da204f601d63582c46b5963cc

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many of which are obfuscated or use link farms, suggesting a phishing or malware distribution campaign. The primary malicious URL identified is https://jottigo.ru/strik, which is likely used to redirect the user to a malicious site.

Machine Learning

Nyx PDF Classifier malicious score 0.9565

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://jottigo.ru/strik?utm_term=honeywell+th6110d1005+focuspro+6000+programmable+thermostat+reset
- https://cdn.sqhk.co/modesinilofe/hjji0jd/tagadosimogosebit.pdf
- https://cdn.sqhk.co/govonesed/jfjjahc/the_sims_mobile_mod_apk_happymod.pdf
- http://figukamib.22web.org/pemofibowimasag.pdf
- https://cdn.sqhk.co/jivazufevi/hbhfgeG/basketball_hoop_base_replacement.pdf
- https://cdn.sqhk.co/guwewaxa/iciadgg/5118881464.pdf
- https://cdn-cms.f-static.net/uploads/4386606/normal_602b4b08e7fa9.pdf
- https://cdn-cms.f-static.net/uploads/4455387/normal_603939b89477f.pdf
- https://cdn.sqhk.co/dikonutudibe/YCpjgjg/sododasozafesepudipu.pdf
- http://vidclips.design/los_juegos_del_hambre_sinsajo_parte_2_pelicula_completa_subtitulada7ebyb.pdf
- https://cdn.sqhk.co/rejoxapuzopa/CgcZjgJ/demusejesidajade.pdf
- https://static.s123-cdn-static.com/uploads/4403262/normal_5ff264bcc32cb.pdf
- https://cdn.sqhk.co/fabunavaxa/hjCMbic/kexamilosesenixuguxe.pdf
- http://idealsit.fun/descargar_frida_espaoluwx8e.pdf
- http://ratonawe.iblogger.org/novagakevejene.pdf
- https://cdn.sqhk.co/wemegofuk/hibgd5n/automatic_tennis_ball_launcher_dog_toy.pdf
- http://lifeshop.pro/what_color_is_honda_power_steering_fluido28vi.pdf
- https://cdn.sqhk.co/gitopedevid/aNrjaia/siwifagujutezimitoxa.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://c1bbde11-5cda-4f7c-8b74-b2fe90b484f5.filesusr.com/ugd/1c8c6c_8dff0bafe75f40238fee67264f600d3b.pdf?index=true
- https://bef89f6e-6323-4b84-ad9d-a44490bfcc4f.filesusr.com/ugd/96768c_e1c1169052d74583b6f197d1808a8f23.pdf?index=true
- https://6e3eaeb2-b9dd-4462-8b56-96c59beebd9a.filesusr.com/ugd/dcc11b_8ed5c1ed6806487eb41dd52828d6faee.pdf?index=true
- https://def26600-86c9-4442-a738-094ddf2992d1.filesusr.com/ugd/eb5a6a_df1564a93ddb4664ac33601f981d972c.pdf?index=true
- http://wajalapivibobi.epizy.com/michigan_alcoholism_screening_test.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e071.bin` `b980fe4499d66a30fffef4bf427bd21b9f88f63a530ffa332b210e8b6cd30038`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE071	6336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.