Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e7f9ad67d7640ba…

MALICIOUS

PDF

66.8 KB Created: 2021-03-20 18:51:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a39bc0e2b935048cc17c622125993803 SHA-1: 9a615ab27e81267c4834eadc284f8a39ecd1bb75 SHA-256: 3e7f9ad67d7640bad7436b20dfd4bf7c36d3608046678179f5a3c29a267c70d8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, including a link farm heuristic firing, suggesting an attempt to drive traffic to malicious sites. The ClamAV detection and ML classifier also indicate malicious intent. The embedded URL points to a domain associated with phishing, likely intended to trick users into downloading further malicious content or providing sensitive information.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8429

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/award?keyword=common+mental+disorders+questionnaire+pdf
    • http://umdtheatre.ru/pokemon_sun_destiny_knotqyxpm.pdf
    • https://static.s123-cdn-static.com/uploads/4388169/normal_5ff1d2d69f397.pdf
    • http://berkeciftci.net/62254428809qby8x.pdf
    • https://cdn-cms.f-static.net/uploads/4421062/normal_6045140c4ee8b.pdf
    • http://kadesevi.iblogger.org/44827139283.pdf
    • https://static.s123-cdn-static.com/uploads/4413566/normal_5fe1eee71492f.pdf
    • http://raisinshq.pro/237410338478pkfg.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/573bb45b-58db-4d58-a8dd-209427709e14/90361268367.pdf
    • https://c01188fd-d8af-4b86-846b-090f7ecd58d8.filesusr.com/ugd/9058e5_a1bac016c53c4f4db44fe325f5956f18.pdf?index=true
    • https://314f4944-3dd9-45af-b5ee-fc7f46c963e4.filesusr.com/ugd/73cb9e_2bc5683a59f647c1af6893d0264d1cec.pdf?index=true
    • http://xofajekebukup.rf.gd/xujekezofipejap.pdf
    • https://uploads.strikinglycdn.com/files/6dc5ea79-2211-4f3b-b9a0-4566800e3575/zepasurerevog.pdf
    • http://lumigetutiburu.epizy.com/abbyy_finereader_12_professional_full_crack.pdf
    • https://uploads.strikinglycdn.com/files/7c7e6a48-ef09-4eaf-ad5a-ead9035aaeb3/congruent_polygons_worksheet_answer_key.pdf
    • https://uploads.strikinglycdn.com/files/080d55ac-9939-48fb-9bd3-fedee45137d8/filter_for_samsung_refrigerator_rf28hmedbsr.pdf
    • https://uploads.strikinglycdn.com/files/6bad5e7e-fcac-4a5e-8ba7-e5e0ee4ffde1/sagerizupakibu.pdf
    • http://zubixuguse.epizy.com/92501339401.pdf
    • https://5c06e36d-e6a7-492f-989e-88f86e9ca1b1.filesusr.com/ugd/c9ae65_1a53e2790c0c45b198505a8abf8defa8.pdf?index=true
    • https://025b4bf0-2906-4f5f-8a0f-6d4b68fc9518.filesusr.com/ugd/148ee2_c3ed748c538f4522827fd91734d8bf38.pdf?index=true
    • http://tibugesifavetel.epizy.com/xarulapapanozizosenune.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec01.bin
a8ea3c9de3024b99f59342c86b530e80ef7a44557e1673d86ee8d2a51ae3eb05		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC01 5220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.