Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c268585521a5b3d…

MALICIOUS

PDF

66.8 KB Created: 2021-03-07 19:52:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: f87b408758ca1fbabf0ec33c9b2abe88 SHA-1: a1231098e652dd9be0913c4d3e445234cb3697ac SHA-256: 2c268585521a5b3d4605fbf037ade400b06560b70c2a5f76bfa0af21593fa567
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many hosted on disposable domains, indicating a link farm designed to direct users to potentially malicious content. The presence of a PDF_SEO_LINK_FARM heuristic and ML_NYX_PDF_MALICIOUS classification strongly suggests a phishing or malware distribution attempt. While no scripts were explicitly extracted, the structure and heuristics point towards a malicious intent to lure users through these external links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8274

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/award?keyword=purple+is+my+favorite+color+meme PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4366407/normal_602780f14a796.pdfIn PDF document text
    • https://cdn.sqhk.co/pajokiman/iAURihv/vikings_vs_panthers_stats.pdfIn PDF document text
    • https://cdn.sqhk.co/xagaxubibiz/AiiIghQ/shadow_battle_2._2_hack_apk_mod.pdfIn PDF document text
    • https://cdn.sqhk.co/kixalixu/arjfwhb/dojuvokubegitugena.pdfIn PDF document text
    • https://cdn.sqhk.co/pivugisaxap/Rzgjgfr/gangs_of_london_netflix_trailer.pdfIn PDF document text
    • http://dvestideyli.xyz/8550827976n9c1j.pdfIn PDF document text
    • https://cdn.sqhk.co/kadukugobug/2Zge79F/81752836538.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501212/normal_603a29b4aaae7.pdfIn PDF document text
    • https://cdn.sqhk.co/nufopusifa/gTfjaif/oneplus_gallery_update_apk.pdfIn PDF document text
    • http://maslovauto.ru/aadhar_card_correction_form_filling_exampleg4uwn.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4408701/normal_5ff1832e648ca.pdfIn PDF document text
    • https://cdn.sqhk.co/fetedudi/ihTGjh3/52212002901.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4486975/normal_601652b11ffea.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://a19d597f-2220-41b3-9459-688249e8a20b.filesusr.com/ugd/f19f53_40f760d8c78645449224a8c23fd5c407.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5ab5405f-ba33-456c-87af-df91ab60ea22/9286219375.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/def3d77b-f34a-4eaf-a1bf-f93c163bae91/50954954875.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/89bbd98f-e182-4264-b3e8-abc854f7157f/what_is_reading_comprehension_definition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/07291002-5933-4a87-89c9-320a77f60f31/wudadizesu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f8083b6f-033d-4b3b-b196-ea653ef6e93d/water_and_wastewater_engineering_jobs.pdfIn PDF document text
    • https://4993f9ff-345c-4c03-a8ec-d4f8dac664d6.filesusr.com/ugd/debbe1_09d00dbce8fb4d32a3f112b7644823b3.pdf?index=trueIn PDF document text
    • https://50037ee0-0691-4a53-bdc2-b2f8f795cfa6.filesusr.com/ugd/b41a9a_bccddb9b47c44c5a989a08e74bacbdbd.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e7d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE7D6 5100 bytes
SHA-256: 38da5edf691eb7ab06847d31d9ebe03ed1b11154ef599245d2faea270b21772d