Malicious PDF — malware analysis report

Static analysis result for SHA-256 307d47033ea49fc7…

MALICIOUS

PDF

70.9 KB Created: 2021-03-28 05:29:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e629a6ce9b6fb090c82ee4b22223da61 SHA-1: 57b2f277a6f21a4b1f8660997311dbd5152a51ba SHA-256: 307d47033ea49fc758429bf7bc5a80e9a2fe624d696d2cbdc9d8366b4ca68b12
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a primary malicious URL identified as 'https://pelibifir.ru/award?keyword=cardiologia+pediatrica+park+pdf+descargar'. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting a link farm or phishing attempt. The ML classifier and ClamAV detection further support the malicious nature of the file, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9191

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=cardiologia+pediatrica+park+pdf+descargar
    • https://xifanelisiwokof.weebly.com/uploads/1/3/0/8/130874433/fezijugoperi-nisuravokivedu.pdf
    • https://sigozebuxofiko.weebly.com/uploads/1/3/4/3/134372047/monafiwabubunomu.pdf
    • https://napopetonepew.weebly.com/uploads/1/3/1/1/131164038/09fcce30f.pdf
    • https://zewuxufasebi.weebly.com/uploads/1/3/4/3/134320084/mogekug.pdf
    • https://zezonusadife.weebly.com/uploads/1/3/1/4/131410479/8400930.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a36f682d-f531-41b7-be56-a9de56b3818e/what_is_rpa_automation.pdf
    • https://uploads.strikinglycdn.com/files/9d306801-a585-48a3-9dbb-7d9f6e54b962/38190558772.pdf
    • https://7605c768-a471-4169-85a9-0dab509fd250.filesusr.com/ugd/20ab23_40c0c17fba48496bb3dfd6d1fefbed8f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/76ce75a4-5fa1-4b23-9c96-d75e26ecdc6a/51023480361.pdf
    • https://uploads.strikinglycdn.com/files/e915eef2-ce5a-4272-a576-9a76aacfd270/how_to_replace_battery_liftmaster_keypad.pdf
    • https://uploads.strikinglycdn.com/files/65d83e5e-c30d-4934-8fae-f17f702f6afa/how_to_get_new_ikea_catalogue.pdf
    • https://uploads.strikinglycdn.com/files/b5ce703a-f31b-4a21-b3bd-4d9341a0d321/craftsman_circular_saw_replacement_parts.pdf
    • https://1c019786-7048-4615-837a-ae53f087c4ae.filesusr.com/ugd/8b4172_a1d63896ff9540c5bfb05916470732a4.pdf?index=true
    • https://80b2a579-f9ed-4aa0-b91a-ac3c8973c086.filesusr.com/ugd/353d00_326c892eeb004259986d0048b6f1c882.pdf?index=true
    • https://e691ad07-92dc-45fa-af10-8929b4045ede.filesusr.com/ugd/87b9a8_da0ac111815c4ea29b84dc9cd9ee4a3c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/93b14e87-c50c-408e-a5b7-4b0ddeb55b0e/adding_and_subtracting_fractions_word_problems_with_like_denominators_worksheets.pdf
    • https://8533cbf3-c0d6-400c-bdf8-8ca38cf0242b.filesusr.com/ugd/135178_93ad11cb35b54f95af824b74be473437.pdf?index=true
    • https://s3.amazonaws.com/nupotukig/budget_constraint_economics.pdf
    • https://s3.amazonaws.com/jemisajoda/xumogenodawesolez.pdf
    • https://uploads.strikinglycdn.com/files/a278aed9-c412-4fd6-83eb-f4789197c618/how_to_change_a_polder_scale_from_grams_to_ounces.pdf
    • https://s3.amazonaws.com/bidurudilidujug/98797551337.pdf
    • https://uploads.strikinglycdn.com/files/446d4d22-2e37-4959-bcae-6a691cfbd784/11702638896.pdf
    • https://db244590-af71-4c33-bd6e-2f8f55f31281.filesusr.com/ugd/fdab61_9b4d0d0de71d4fefa8b8fe9225a8cd08.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dbe91a90-1060-438c-85b8-b964639654b2/61642958588.pdf
    • https://s3.amazonaws.com/padosumifubobo/wewatonotataf.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9d5.bin
956d6322778fe2ce5d275f911d70a7b4947a5be723155d66a0bee4bff48be74a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9D5 5292 bytes
font_01_sfnt_off0000fbe3.bin
45510bab8e8485bb3b3c0f070a1e7f729f5e29e4f1a9ff9ef0efedb15d4e92c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBE3 11220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.