Malicious PDF — malware analysis report

Static analysis result for SHA-256 3edfc98507968134…

MALICIOUS

PDF

62.7 KB Created: 2021-03-14 22:11:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0858d7afa213a74389dbf0186e34b2ff SHA-1: 5c70851693df458feea4ae275b7dc994469a3f9e SHA-256: 3edfc9850796813484bc5027690893dc717136be08cf798ca0ace4a655f8b828
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a significant number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. One of these links, https://seumenha.ru/award?keyword=tenses+rewrite+exercises+pdf, is directly embedded. ClamAV also detected the file as Pdf.Phishing.Trojan, and an ML classifier flagged it as malicious. The presence of numerous external links suggests an attempt to redirect users to potentially malicious content or for SEO spam.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8395

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=tenses+rewrite+exercises+pdf
    • https://static.s123-cdn-static.com/uploads/4405185/normal_6004f4dc29d08.pdf
    • https://cdn-cms.f-static.net/uploads/4501482/normal_60110ff2cc154.pdf
    • https://static.s123-cdn-static.com/uploads/4481282/normal_5ffdd9533aeb5.pdf
    • http://waystep.site/tukoburerulodafu3f6en.pdf
    • http://getliterate.online/cambridge_advanced_trainer1gtlr.pdf
    • http://buyervannakupitvsem.xyz/7223306218261ma0.pdf
    • https://static.s123-cdn-static.com/uploads/4473064/normal_5fc8a562dd5b4.pdf
    • https://cdn-cms.f-static.net/uploads/4469374/normal_60472b9475457.pdf
    • http://kigurumi.org/what_is_the_average_salary_of_a_mechanical_engineer_in_us51dab.pdf
    • http://navaram.online/perfect_english_grammar_superlative_exercises4qtp8.pdf
    • http://naturka.space/tunufejivakadikavifizobon52f5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://8909b315-4d59-4940-aabf-0fdaa532e0ad.filesusr.com/ugd/4542d9_80e7f5db33044d78b9b6d9876fed2cf2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9cf0a51d-7ead-4011-b7f4-97a3c5813a26/38034746487.pdf
    • https://uploads.strikinglycdn.com/files/81c07a07-192b-4748-bcef-b76ad98f8222/troy_bilt_pony_mower_deck_belt_size.pdf
    • https://994180ce-385f-4272-9833-4a204a825e0f.filesusr.com/ugd/ec0c41_3e6103a933e544c488af3062fb6e2ea4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d30fbb3e-d629-4619-b02b-8d995d6191c8/34697585504.pdf
    • https://uploads.strikinglycdn.com/files/ca01f962-5c7e-4f23-893b-48b6b3deb0d7/sajumulifanafaki.pdf
    • https://e6a48395-9ebc-465e-8505-c4b20d7b8e72.filesusr.com/ugd/81e12b_7254a585145a41f59c37aae959505d43.pdf?index=true
    • https://uploads.strikinglycdn.com/files/81f4894d-24ab-4523-8630-a9746cbc5d99/36155606696.pdf
    • https://uploads.strikinglycdn.com/files/97f2e606-9381-4d29-8199-56173c722d6d/skil_circular_saw_blade_change.pdf
    • https://uploads.strikinglycdn.com/files/23e96f55-9bb2-4898-8973-273f30f3b7d1/chamberlain_liftmaster_professional_1_2_hp_garage_door_opener_manual.pdf
    • https://uploads.strikinglycdn.com/files/e5812fca-a9a3-44dd-a080-0c93d8089d64/fiseji.pdf
    • https://uploads.strikinglycdn.com/files/8324ced4-ca9e-4486-a447-614c155a4913/waneravoporilirebelotuv.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cfca.bin
0078636d4fc3b4d1fc6bc87d10127280930e849254e450ed2d30d79c2d2b2532		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCFCA 5016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.