Malicious PDF — malware analysis report

Static analysis result for SHA-256 43eaa765618e2a39…

MALICIOUS

PDF

65.6 KB Created: 2021-03-14 12:49:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: b590e376072688f8f12935d73ac058e3 SHA-1: c2f1027a2045a8a623f6047792ac156229aa9d55 SHA-256: 43eaa765618e2a391bebf8272202b18af4661ace96420f6a5780ceb997b171be
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9676

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=ejemplos+de+algoritmos+diagramas+de+flujo+y+pseudocodigos PDF link annotation
    • http://sasawavivar.mygamesonline.org/gudizivakejijik.pdfIn PDF document text
    • http://mimisijuz.mypressonline.com/makerere_university_business_school_fees_structure.pdfIn PDF document text
    • http://agentsoft.space/bajrangi_bhaijaan_songs_free_pkjizwr.pdfIn PDF document text
    • http://gedatidigog.sportsontheweb.net/bufokamu.pdfIn PDF document text
    • http://sifisomatexow.sportsontheweb.net/aptitude_and_reasoning_questions_with_answers_download.pdfIn PDF document text
    • http://jowitut.iblogger.org/hoover_windtunnel_2_rewind_pet_filter_replacement.pdfIn PDF document text
    • http://kmikaerfs.ru/6347116702u1ydz.pdfIn PDF document text
    • http://alkostore.xyz/whats_daughter_in_spanishtibw8.pdfIn PDF document text
    • http://pushbiz.fun/1266555580279sg2.pdfIn PDF document text
    • http://bibivire.mygamesonline.org/kevaxejad.pdfIn PDF document text
    • http://gutufozif.iblogger.org/mobile_world_live_tv_apps.pdfIn PDF document text
    • http://movawizaxaxato.mywebcommunity.org/binelujobigolimigojopiso.pdfIn PDF document text
    • http://gemajelibetojup.scienceontheweb.net/adverb_in_english_grammar.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://0621cc9e-6449-4e8a-a8bd-baee9ad62a2c.filesusr.com/ugd/affb4a_115aed08374b4112b3b3d1c9f316d919.pdf?index=trueIn PDF document text
    • https://04c936c6-ffa4-4e5e-9cf6-d086164b7bfa.filesusr.com/ugd/370ea2_f9bc677fdfe647878812eb8475dfcd2a.pdf?index=trueIn PDF document text
    • http://joxegav.rf.gd/teberasakif.pdfIn PDF document text
    • https://4a5660cc-52a2-48ff-9acb-4b4f1704cb6e.filesusr.com/ugd/81868d_5fcbaf0088374c8cb7fc9bffd3a91e5d.pdf?index=trueIn PDF document text
    • http://vesedakowata.onlinewebshop.net/12275231099.pdfIn PDF document text
    • https://167c8e7b-8160-49a2-a88e-f26749d647c8.filesusr.com/ugd/1ad47d_dd3f672eb36c4c8c978100cac9760fdc.pdf?index=trueIn PDF document text
    • http://gamutazuzores.epizy.com/seethamma_andalu_ramayya_sitralu_naa_songs.pdfIn PDF document text
    • https://7c8f45b7-e058-4e27-bccd-8ee7dcb26900.filesusr.com/ugd/d5cf39_31a826da3cd24038a7651e62e63cb522.pdf?index=trueIn PDF document text
    • http://redowana.epizy.com/voboxomekojepevuxako.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF2BA 5612 bytes
SHA-256: c3662080ae2ae5dc9e419c536cbb432b2a2fb19a6b6bfa0f82c17ac00b7edca6