Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e7976a60231cd53…

MALICIOUS

PDF

105.0 KB Created: 2021-03-30 01:01:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 16550bf88d903d58a34a568e0425c7c6 SHA-1: a1cd8742bea6f5da372b8ade42895bc6956044c0 SHA-256: 3e7976a60231cd5339ce97a268113a7eafedec11c8d0d2310fa28ce8df2e0d71
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains a large number of external links, many hosted on disposable domains, indicating a link farm or SEO manipulation tactic. ClamAV and ML heuristics flagged the file as malicious, specifically as a phishing trojan. The presence of numerous external links suggests a potential distribution mechanism for further malicious content or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8850

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/strik?utm_term=antonio+gramsci+hegemony+in+hindi PDF link annotation
    • https://zajasonasijo.weebly.com/uploads/1/3/4/6/134627958/2512263.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366043/normal_60145855deb17.pdfIn PDF document text
    • https://fenulibamale.weebly.com/uploads/1/3/4/6/134601409/navajuxibepapovemi.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403260/normal_601c7124ba7eb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4454435/normal_601ae472aa5e3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366309/normal_60234817a8138.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4389823/normal_5fce626c375f0.pdfIn PDF document text
    • https://lanekugufer.weebly.com/uploads/1/3/5/3/135351315/lezabodixulojiru.pdfIn PDF document text
    • http://piroluzufu.iblogger.org/97690219394.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4459926/normal_5fca91a53aa2a.pdfIn PDF document text
    • http://sajutasure.22web.org/forex_rates_hdfc_bank.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368493/normal_6056e01cb35e7.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4491665/normal_5fc73285811f8.pdfIn PDF document text
    • http://gaxopuxa.iblogger.org/google_chrome_apk_latest.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407085/normal_603fde7013946.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417997/normal_6044d177a9d39.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4480755/normal_5fc8830990389.pdfIn PDF document text
    • http://zekagepalido.iblogger.org/pipizajiber.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4456134/normal_5fd05b0c04218.pdfIn PDF document text
    • https://xovuxajewilim.weebly.com/uploads/1/3/0/7/130775567/98f6b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4493578/normal_603459d47494b.pdfIn PDF document text
    • https://fobepomakiroka.weebly.com/uploads/1/3/0/8/130874330/88e8ee9f3570.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fefirujo.rf.gd/77183809473.pdfIn PDF document text
    • http://nixewawomito.epizy.com/web_design_proposal_email_template.pdfIn PDF document text
    • http://gapevizatijaba.epizy.com/cancer_de_intestino_grueso.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017eea.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17EEA 5412 bytes
SHA-256: 19fb49d52d448176c0f08fc40f69f1d1e38ba637eaccbeeea6e8a308600f6940

Open this report in the interactive analyzer, or submit your own file for analysis.