Malicious PDF — malware analysis report

Static analysis result for SHA-256 30a732c98aa1b86d…

MALICIOUS

PDF

57.2 KB Created: 2021-03-24 03:56:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b7eef26177ac8dc21b5cbad4c3c91e04 SHA-1: 8bc9805151f5c39aaf3b67d5187568549076597d SHA-256: 30a732c98aa1b86db65e0a0ccafe6b5aa93e525ca78a4c12f0fc7376fb1f282b
212 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links designed to redirect users to external websites, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM heuristics. The ClamAV detection and ML classifier further support its malicious nature. The embedded links, such as 'https://yafferge.ru/award?keyword=simple+low+cost+electronics+projects+fred+blechman+pdf', likely serve as lures for phishing or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8118

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=simple+low+cost+electronics+projects+fred+blechman+pdf
    • http://matroskin.space/duvev5c5ri.pdf
    • https://jesemokomu.weebly.com/uploads/1/3/4/6/134687046/radetoladugi_reguzolisas.pdf
    • http://filfex.ru/how_to_do_screen_mirroring_on_sharp_tv0uke8.pdf
    • http://100naturals.fun/inception_theme_song_sheet_musicob7so.pdf
    • http://yesitalia.fun/nea_marin_miliardar_film9hq87.pdf
    • https://fiwisito.weebly.com/uploads/1/3/4/7/134715438/6905.pdf
    • https://wulakajif.weebly.com/uploads/1/3/2/7/132740593/4070caa30.pdf
    • https://lasebotoxuxuxir.weebly.com/uploads/1/3/4/7/134729765/1230016.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/573d1d2c-ecbb-4047-a437-5d663a841fce/31150025272.pdf
    • https://s3.amazonaws.com/zevutebulaworel/bamboo_tablet_cth_670_driver.pdf
    • https://s3.amazonaws.com/wofaxil/96260225614.pdf
    • https://uploads.strikinglycdn.com/files/91805a0b-df62-4a71-a961-88ecb8d0ed51/1182449133.pdf
    • https://uploads.strikinglycdn.com/files/c02cde17-5394-4ca0-bf95-59db1d63a63d/79628451166.pdf
    • https://uploads.strikinglycdn.com/files/e843b90b-b772-4ca4-b3cf-941bb5fc3105/76477787216.pdf
    • https://uploads.strikinglycdn.com/files/700dab19-25fb-4683-9b14-d5f5b224210c/ocga_title_16-3-21.pdf
    • https://s3.amazonaws.com/wujodibu/tofet.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d37d.bin
6fbf25ed9c78e17791b939431e22b626c11d67a5cbb23145880a43158d425a6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD37D 5804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.