Malicious PDF — malware analysis report

Static analysis result for SHA-256 30700bbb80744471…

MALICIOUS

PDF

88.8 KB Created: 2021-03-02 05:08:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: 77cf54f052c1117b3fb8646935a6f019 SHA-1: 65e238c25b6d6dcfee60d12cf1c9d1e03b6e89f8 SHA-256: 30700bbb80744471ae85bf4c1b72366486e07a8239f9e6339315b62455d620ab
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains multiple embedded URLs, with a critical heuristic identifying it as a link farm. One of the primary URLs, 'https://jacksth.ru/award?keyword=what+does+the+term+bogey+mean', is directly presented in the document's metadata and appears to be a lure. The ClamAV detection and the presence of numerous external links suggest a phishing or SEO spam campaign designed to redirect users to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier clean score 0.2246

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=what+does+the+term+bogey+mean PDF link annotation
    • http://nowukusox.mypressonline.com/massey_ferguson_3545_decals.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417997/normal_5fd7bcca5745e.pdfIn PDF document text
    • http://bibivire.mygamesonline.org/jizutejawekos.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4421039/normal_5fe1b15aaeae2.pdfIn PDF document text
    • https://gumotijilazu.weebly.com/uploads/1/3/1/6/131637190/wolovanafate.pdfIn PDF document text
    • https://cdn.sqhk.co/molavagew/4gjjfia/79308749270.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4418783/normal_5ff61d2dcc5bb.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://s3.amazonaws.com/fatikonavori/fawabafosoxaxidosux.pdfIn PDF document text
    • http://bifovigavij.myartsonline.com/tejerawa.pdfIn PDF document text
    • https://s3.amazonaws.com/bikikanafopavu/calcedonia_mineral.pdfIn PDF document text
    • https://s3.amazonaws.com/wokesabisevo/cartola_fc_pro_apk_2018.pdfIn PDF document text
    • https://s3.amazonaws.com/wiwamoxamo/menu_formule_jeune_auberge_de_l_ill.pdfIn PDF document text
    • https://s3.amazonaws.com/wunojipu/what_is_the_theme_of_the_lesson.pdfIn PDF document text
    • https://s3.amazonaws.com/kifutizijebuj/76914232450.pdfIn PDF document text
    • https://s3.amazonaws.com/dubiditiginowo/44504552079.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e81d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE81D 5588 bytes
SHA-256: ba5237cd526fe7cdb774a50d86e75640d99618175ba7dd80afc07ecae5551fd9
font_01_sfnt_off0000fbac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFBAC 5460 bytes
SHA-256: 01a162718c82bd9cce65c67210a0b0502c36dadbcdebd3acaf01e698544a7ddd
font_02_sfnt_off00010e1d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E1D 2656 bytes
SHA-256: dbaab8dcf32bfe64cb008f34eb54f5316f62236e8dffe3de49b44225404383a5
font_03_sfnt_off00011921.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11921 2328 bytes
SHA-256: c42118b51b061dffbc196cd4866a2cf76d9f31ae9d0a8f6c06e6ad224a677b24
font_04_sfnt_off000123d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x123D6 2108 bytes
SHA-256: 806d12f4c18e044784d20764d58024893796e88f204c306662924b3e907cbcac
font_05_sfnt_off00012da1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12DA1 6640 bytes
SHA-256: 2da83060ad210a9a1743b04a22b2cc5ebb14ba7af64fbaa5f25da2d26a1b3d84
font_06_sfnt_off00013f3f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13F3F 12392 bytes
SHA-256: 0d9bf8bf08fbe491412637e13940988986b0fb53a69426cf0fb5e2578d7e922f

Open this report in the interactive analyzer, or submit your own file for analysis.