Malicious PDF — malware analysis report

Static analysis result for SHA-256 26518e56a7cdc2b1…

MALICIOUS

PDF

56.9 KB Created: 2021-06-05 23:20:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2eba1f5ae174404650f7a4abf3375332 SHA-1: 83a81d9a6452362f6dda00d180e93611a3d2c87e SHA-256: 26518e56a7cdc2b145c1464fd0424fc418999dbc18eb2be27202686445ce15a0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one critical heuristic identifying it as a link farm. The primary external URL, 'https://allytemp.ru/pbw?utm_term=how+do+i+tell+what+year+my+evinrude+outboard+is', is suspicious and likely leads to a phishing or malware distribution site. ClamAV also detected this file as 'Pdf.Phishing.Trojan'. No scripts were extracted, but the PDF structure and heuristics strongly suggest a malicious intent to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7589

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/pbw?utm_term=how+do+i+tell+what+year+my+evinrude+outboard+is
    • https://sufifova.weebly.com/uploads/1/3/4/7/134736026/danigenapivukoj_wenutagoxem_xagavatezanov_jupigugetoxugiv.pdf
    • https://kamefumude.weebly.com/uploads/1/3/4/0/134018396/e728347.pdf
    • https://niwanuve.weebly.com/uploads/1/3/1/4/131406473/7a4058fcf0c300f.pdf
    • https://gemirolav.weebly.com/uploads/1/3/1/6/131606407/3132628.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vejivab.pbworks.com/w/file/fetch/144567987/what_is_in_mod_cauliflower_crust.pdf
    • https://uploads.strikinglycdn.com/files/178ccd52-e0b1-4245-a17e-491d5835dc06/palabras_agudas_graves_llanas_esdrujulas_y_sobreesdrujulas.pdf
    • https://uploads.strikinglycdn.com/files/35d173b9-c67e-48fb-a72d-1a3ad3833dcc/why_is_18th_century_called_the_age_of_prose_and_reason.pdf
    • https://uploads.strikinglycdn.com/files/93c60437-9420-43eb-9347-7e1c04e049b3/jofoluvemurinubujozewug.pdf
    • https://uploads.strikinglycdn.com/files/0898a91e-1d67-4769-95ef-afb2de8f2126/maxi_cosi_pria_70_car_seat_travel_bag.pdf
    • https://uploads.strikinglycdn.com/files/0452ffed-66a0-4ca0-a597-00f9adc609fe/80551942747.pdf
    • http://tereburokofe.pbworks.com/w/file/fetch/144504690/vabafumetoropeperakuvam.pdf
    • https://uploads.strikinglycdn.com/files/6d085bef-fdae-4a77-b9fb-e745f30841e0/mezuzakalog.pdf
    • https://uploads.strikinglycdn.com/files/ec6dd452-90b2-4a54-bad6-fd0d681539fb/donadirinigupoxudokud.pdf
    • https://uploads.strikinglycdn.com/files/6258ae23-968f-4aa0-922c-dd81170d90ec/descargar_disco_de_julion_alvarez_2019.pdf
    • https://uploads.strikinglycdn.com/files/88d33a01-0261-4c4f-8cb2-0f86a283bd34/48506160919.pdf
    • https://uploads.strikinglycdn.com/files/cb0d1a6d-b293-48c8-8f95-e386a3586a36/lelijikunipexowuwatab.pdf
    • http://jujirafamena.pbworks.com/f/jizimiwur.pdf
    • https://uploads.strikinglycdn.com/files/2a682180-e827-4c66-9de0-4e322093aa58/wamosaxaparawirunega.pdf
    • https://uploads.strikinglycdn.com/files/47608187-e48f-460f-8a44-d9aae5df2a99/47877989860.pdf
    • https://uploads.strikinglycdn.com/files/987a8a80-f562-42c5-a066-64e98d8abc8b/survival_of_the_fittest_examples.pdf
    • http://polubisoxuwo.pbworks.com/w/file/fetch/144504939/ribofis.pdf
    • https://uploads.strikinglycdn.com/files/03efdbf3-b7bd-4bdb-99d3-2fc79adbc090/60779036215.pdf
    • https://uploads.strikinglycdn.com/files/3a0749d6-5277-4ba4-8ab6-232d745b4ac4/76399416146.pdf
    • https://uploads.strikinglycdn.com/files/8bb0b99f-0ded-4143-a929-1b5c95926dec/muvowonovavaviko.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d671.bin
e0ae4dc7e7ed821cc909ee78e3cd9e2fce517c733cd6e9baa3ecde5be5d0e84a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD671 5304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.