Malicious PDF — malware analysis report

Static analysis result for SHA-256 3201feae292a9d59…

MALICIOUS

PDF

85.9 KB Created: 2021-03-29 05:20:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fcc3006e3e135e9a2ceaf6fa2e0b4df6 SHA-1: 50310a1b57b966e4e6b356559bf19b71c823878f SHA-256: 3201feae292a9d596e3e2a89fe97fdf1b8b302efa6114d23fd5cdf91663b4263
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a significant number pointing to Weebly and other domains, suggesting a link farm or phishing attempt. The presence of a PDF_SEO_LINK_FARM heuristic firing indicates a large number of external links designed to appear as legitimate content. The ML classifier and ClamAV detection further support its malicious nature, likely as a phishing lure or a downloader for further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6443

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=adobe+acrobat+pdf+editor+download+full+version
    • https://nufewaxitobazat.weebly.com/uploads/1/3/4/7/134748461/fibezowosoluf.pdf
    • http://gratoraama.space/bexuziwwsoz9.pdf
    • https://redutoxaxijarow.weebly.com/uploads/1/3/4/7/134760413/2143573.pdf
    • http://ru-1.casa/gixufukiwivaxodaj6qxgv.pdf
    • https://cdn-cms.f-static.net/uploads/4450876/normal_5fd923115d566.pdf
    • http://instahelpforbusiness.com/36382374337xstpq.pdf
    • https://static.s123-cdn-static.com/uploads/4447253/normal_5fcd5958055cb.pdf
    • http://copyright-helps-team.com/why_washer_wont_start957fi.pdf
    • https://sutivekawexebe.weebly.com/uploads/1/3/1/6/131636655/3286d6f9.pdf
    • http://fartook.online/how_to_install_garmin_echomap_plus_73svrh6t7.pdf
    • https://cdn-cms.f-static.net/uploads/4379498/normal_5fd0baccb4dfd.pdf
    • https://mixiwosut.weebly.com/uploads/1/3/4/5/134599068/7273345.pdf
    • https://static.s123-cdn-static.com/uploads/4470679/normal_5fe18ef1ad674.pdf
    • http://natorg.fun/regoxofiwyoh40.pdf
    • https://static.s123-cdn-static.com/uploads/4403816/normal_5fca54a69dffc.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/pafexegud/sample_forensic_audit_report.pdf
    • https://s3.amazonaws.com/sinadi/adkar_sabah_wal_masaa.pdf
    • https://s3.amazonaws.com/gomakobez/create_a_cv_online_free_template.pdf
    • https://s3.amazonaws.com/senodiw/aluminum_clad_sheet_2024_o.pdf
    • https://s3.amazonaws.com/xuvamuba/is_crossfit_good_for_fat_loss.pdf
    • https://s3.amazonaws.com/pevarijidasalop/795869878.pdf
    • https://s3.amazonaws.com/lomogas/lorunitaxexosedosepaloko.pdf
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8e1.bin
d62fb6bf3fbc97c5e88dff4c1dca1910919e479b072f164d7e7f9d9d0663951b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8E1 5336 bytes
font_01_sfnt_off0000fb9b.bin
336f6dd59f783cfa130d3801258b8d6b2517fc4800812c8221b9ecc972f592bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB9B 5312 bytes
font_02_sfnt_off00010dc9.bin
ae237de96cb7f14027f7f677d38099a2599bdf7271173a4341ef2511f4bce153		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DC9 11772 bytes
font_03_sfnt_off000133e0.bin
d6cec5d81403a3d70faea1540ef19555465bc704c2477342a2b01c02bc8a8e2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133E0 16488 bytes
font_04_sfnt_off00014a6e.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14A6E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.