Malicious PDF — malware analysis report

Static analysis result for SHA-256 391c3e4562c14505…

MALICIOUS

PDF

38.7 KB Authoring application: Poppler-utils First seen: 2021-02-20
MD5: 6890757bcab9762658c8bad9ce87b018 SHA-1: 915f8f5abbf41290918560eee434d318f282f54e SHA-256: 391c3e4562c145050accbe216de5e7d31604e59c6578fe76299d169f2a705424
192 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7954659-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7954659-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://spccmd.com/uploads/1/3/0/5/130550657/nalotolerarunate.pdf In PDF document text
    • http://noebrown.com/uploads/1/3/0/6/130604874/nizunamunani.pdfIn PDF document text
    • http://midcountydentalcare.com/uploads/1/3/0/6/130604036/3343221.pdfIn macro / runtime command snippet
    • http://kitug.lucky-opros.info/uploads/2020/01/28/bepabijowuw.pdfIn PDF document text
    • http://formationalurimmobilier.com/uploads/1/3/0/6/130604049/dupiwilajizerot.pdfIn PDF document text
    • http://gyroscopeme.weebly.com/uploads/1/3/0/5/130550654/losowofatolugani.pdfIn PDF document text
    • http://sawaw.fiuggi.pro/uploads/2020/01/28/5af5e5918d882f.pdfIn PDF document text
    • http://lemowikabo.gbpfinancials.com/uploads/2020/01/28/9494978.pdfIn PDF document text
    • http://culezona.eu/uploads/1/3/0/6/130604133/naduvasidi.pdfIn PDF document text
    • http://doeverythingwithgrace.com/uploads/1/3/0/4/130489039/nukemopu.pdfIn PDF document text
    • http://shopamysattic.net/uploads/1/3/0/2/130272886/xezejimu_romefefax.pdfIn PDF document text
    • http://alinazhukovskaya.com/uploads/1/3/0/5/130588983/5d625c5606.pdfIn PDF document text
    • http://swimleftlabs.com/uploads/1/3/0/6/130621874/sekonozaxowupowodij.pdfIn PDF document text
    • http://dimensionalfinancialservices.com/uploads/1/3/0/4/130483477/barivema.pdfIn PDF document text
    • http://ncmetalbuildingsdirect.com/uploads/1/3/0/6/130639960/poromi.pdfIn PDF document text
    • http://discgolflittleleague.com/uploads/1/3/0/5/130544390/1acd210b5ef077.pdfIn PDF document text
    • http://allsportssuperpool.com/uploads/1/3/0/2/130291786/5792591.pdfIn PDF document text
    • http://armsandmindsrenovations.com/uploads/1/3/0/6/130620380/pelole_vigiv_merepalijuk_josumipuwem.pdfIn PDF document text
    • https://bugulobo.weebly.com/uploads/1/3/0/4/130477152/xuwiwu.pdfIn PDF document text
    • http://ocholistictherapy.com/uploads/1/3/0/2/130274378/581a2.pdfIn PDF document text
    • http://simplicityparentingwithmary.com/uploads/1/3/0/2/130272336/e22e2e3b75.pdfIn PDF document text
    • http://boneki.dentalux.one/uploads/2020/01/28/6804551.pdfIn PDF document text
    • http://slpresource.com/uploads/1/3/0/6/130620974/josulaguxex_fagoka.pdfIn PDF document text
    • http://kedenozi.vipiska-egrn-besplatno.icu/uploads/2020/01/28/lavatidolotusa.pdfIn PDF document text
    • http://oakbank-cfbt.org/uploads/1/3/0/3/130379411/130379411.html#music+of+the+nightIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001698.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1698 7604 bytes
SHA-256: 379d7cf146b00825dc27fdb60fb956080e259f65fe13ebc4e2a05f02057fef7f