Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b0a395a0099f916…

MALICIOUS

PDF

72.3 KB Created: 2021-04-30 23:52:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 4d994bee3df837d2709a921b9743baba SHA-1: 905255eea345f02ecf215464e19f4ec0661ab360 SHA-256: 3b0a395a0099f9163fd67e0c579785a859fb8b8ca56ac7b7a47d98a1a30d7243
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains multiple embedded URLs, with a primary focus on a link to 'midufefew.ru' which is likely a phishing or malware distribution site. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a pattern of using disposable hosting for link farms, suggesting malicious intent. The ML classifier and ClamAV detection strongly indicate this PDF is malicious, likely serving as a lure for cracked software.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9679

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/strik?utm_term=pro+tools+10+ilok+license+crack PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4377905/normal_5fe9eeb46a9e6.pdfIn PDF document text
    • http://ladirojenovezoj.mygamesonline.org/fexajalapulu.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4475734/normal_5ff8d937e5c84.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403119/normal_6023f01207e10.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403680/normal_605599d2169b4.pdfIn PDF document text
    • http://wamipivifubape.sportsontheweb.net/dewumupelawobiba.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4470040/normal_5fcf9fb50c7c8.pdfIn PDF document text
    • http://milafikolume.iblogger.org/bapesupigibukixa.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://jimarol.myartsonline.com/ortopedia_y_traumatologia_silberman_4ta_edicion.pdfIn PDF document text
    • http://lopaxoreje.rf.gd/62195806679.pdfIn PDF document text
    • https://cff07a16-13b2-455b-8a78-148a75b158b4.filesusr.com/ugd/cda0c7_a32d33b580844120a18fc02cf7e1c5f8.pdf?index=trueIn PDF document text
    • https://569e8712-2873-4b93-a654-ea71b6b809e3.filesusr.com/ugd/345929_b29d9c86c0e74bbfaf12acee7684881a.pdf?index=trueIn PDF document text
    • http://walaratetev.epizy.com/kubota_bx25d_attachments.pdfIn PDF document text
    • http://mupumirupuwanaf.epizy.com/benak.pdfIn PDF document text
    • http://bujisovi.epizy.com/absent_letter_for_work_template.pdfIn PDF document text
    • https://923a8ca3-316b-4844-b38f-9bc955ad4852.filesusr.com/ugd/312e0e_86756110e5e74594927f2ba01757f9d7.pdf?index=trueIn PDF document text
    • https://6fd4412c-3e6e-4f21-a9af-8137ffc6c0d9.filesusr.com/ugd/03469c_bc7e5cd9b7ed4c98825f302f2e98e114.pdf?index=trueIn PDF document text
    • https://12c48f50-3553-44c7-a31c-19fc5df83d07.filesusr.com/ugd/7e0eb0_e5b9d6c00e594c4daddf18f88928857b.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE5A1 5052 bytes
SHA-256: c5c7e886dd945d75220b3c409272afa557b7c229bb64f1cafe8b68f88f655c6b
font_01_sfnt_off0000f6e5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6E5 11636 bytes
SHA-256: e5e9ff40e0d470d8e699d47c0303abdf41f6be881dcb6c458f9dc5d7e7323752