Malicious PDF — malware analysis report

Static analysis result for SHA-256 30146c33d3ad60c0…

MALICIOUS

PDF

72.2 KB Created: 2021-03-19 18:03:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72d1e03bd31b11e4968032a55d1e62bf SHA-1: 22ed1e8bc82b7106b623b18dfe3a06da27e16496 SHA-256: 30146c33d3ad60c050b80f805d2348b235fa5cced75138b6ffc18c6a2abdfe23
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a link farm designed to redirect users. The ClamAV detection and the presence of multiple unknown reputation URLs suggest a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and link farm heuristic indicate it's designed to lead users to malicious sites.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4944

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=asp.+net+ajax+control+toolkit+tutorial+pdf
    • http://itverys.space/fuwososuraje4kvyy.pdf
    • http://bigno.space/popular_woodworking_magazinewqpqd.pdf
    • http://kudretbozaci.com/291079938067rg09.pdf
    • http://priz24.site/select_the_statements_below_that_are_true_for_light_wavess5pun.pdf
    • http://prosucre.pro/votupk9nuf.pdf
    • http://trujillostacoshop.com/excel_vba_find_last_row_in_specific_columna9fgx.pdf
    • http://nakidki-alkantara.xyz/zarixuniwoxa9wvgi.pdf
    • http://rankingcoach-apps.com/79571103280tnmoo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/d4c7cc59-fb99-4fe4-94a7-829126106b80/repair_jenn_air_gas_cooktop.pdf
    • https://uploads.strikinglycdn.com/files/b003f307-90e2-4b94-be48-2ab018e97db6/how_to_read_lausd_report_card.pdf
    • https://s3.amazonaws.com/gimisorixosu/22649914653.pdf
    • https://s3.amazonaws.com/nevovumowa/trigonometric_identities_for_class_10.pdf
    • https://s3.amazonaws.com/bufexa/books_online_for_free_to_read.pdf
    • https://s3.amazonaws.com/veraxawewib/swallowed_foreign_body_guidelines.pdf
    • https://uploads.strikinglycdn.com/files/6db821d8-ab74-461a-b62b-d7213020006b/tinafojewodoligiv.pdf
    • https://b9eb3541-094c-4606-b101-17c2291fd6e1.filesusr.com/ugd/a18601_09bf4f81147c49339f08b2d164831e93.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3bc0dc23-6bc9-42cc-aab3-bda58d371f58/how_to_sync_harbor_breeze_fan_remote.pdf
    • https://uploads.strikinglycdn.com/files/d1469256-8ab1-4567-bc4f-73cb5c6cd743/vowulajanewavo.pdf
    • https://s3.amazonaws.com/werowibovezoje/how_to_spotify_app_on_macbook.pdf
    • https://s3.amazonaws.com/lazolu/abdominal_aortic_aneurysm_classification.pdf
    • https://s3.amazonaws.com/xewamejixolefaj/vopumuma.pdf
    • https://9cf5cc10-3c2e-4e30-ae6b-73ed7beed88a.filesusr.com/ugd/5c2b46_c6434ee0690f41848f86336a008964d5.pdf?index=true
    • https://7f3356c1-ec1f-498a-9d41-5b36c14d87b7.filesusr.com/ugd/98d33d_7f9b5e3e9b3c46ae84aadbc5b0280e75.pdf?index=true
    • https://0aa989e7-076c-475f-bc22-fff5ae310860.filesusr.com/ugd/b44be6_6aae26b2051d4b30bd7ea3b4ba3dad43.pdf?index=true
    • https://s3.amazonaws.com/zifozujiwi/famidezogekowa.pdf
    • https://7c9e9c40-2b96-4f88-8065-b5ff5e495659.filesusr.com/ugd/3bfcae_ccba4e14106e42058b8c017ea30f9272.pdf?index=true
    • https://s3.amazonaws.com/satudifin/2008_jeep_grand_cherokee_srt8_common_problems.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd7e.bin
48cd143bf1b4ea9625be07e956462baa557ad8d42addc8c44e7bd2f1f1b01951		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD7E 5260 bytes
font_01_sfnt_off0000ef74.bin
1ea62f002821f61f3712306b459469daf682b7f6d080519d8694269e9edb7c8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF74 10096 bytes
font_02_sfnt_off000111e1.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111E1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.