Malicious PDF — malware analysis report

Static analysis result for SHA-256 47285c868bc8854c…

MALICIOUS

PDF

76.3 KB Created: 2021-04-04 14:25:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 28412016d2a901b700a2027744755f6b SHA-1: bd8b8d8b5813e2f826d048191037550c9e99a2a7 SHA-256: 47285c868bc8854cb7f52a5b7923fecf59c85e6436438722d0908fa30fcae462
154 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.7191

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/award?keyword=haloalkanes+and+haloarenes+worksheet+pdf
    • http://lulilafemavivog.mygamesonline.org/petazemesufebadejupod.pdf
    • https://cdn.sqhk.co/maxevurux/jfyfPjb/wemukajifaw.pdf
    • https://cdn.sqhk.co/xinulezebi/hcjemid/15579650267.pdf
    • https://cdn.sqhk.co/jojojidatun/MibyHr1/zilopagax.pdf
    • https://cdn.sqhk.co/kakapoxavu/jDfpifz/cooking_mama_let_s_cook_game_download.pdf
    • https://jawufilarom.weebly.com/uploads/1/3/6/0/136054640/dodeworamawag_tejuxaj_basodapati.pdf
    • http://xenejesujotolud.mypressonline.com/gloomhaven_rules_2nd.pdf
    • http://delozofize.scienceontheweb.net/9360044337.pdf
    • https://mosugomepa.weebly.com/uploads/1/3/4/0/134096926/1692240.pdf
    • https://xuropowupenuba.weebly.com/uploads/1/3/0/8/130813979/gomasulegunuka.pdf
    • https://cdn.sqhk.co/pamavunawi/Ygeiejd/stickman_ww2_battle_simulator_apk.pdf
    • https://zebewanuvaxa.weebly.com/uploads/1/3/4/6/134613040/meliram_buzeluvoluzuzi.pdf
    • https://bafewalu.weebly.com/uploads/1/3/5/3/135350628/mupumekekalave.pdf
    • https://xirovule.weebly.com/uploads/1/3/4/7/134749068/a9a235b390f19bc.pdf
    • https://jeduwenerapowi.weebly.com/uploads/1/3/4/6/134678879/judedud_nogazalosojupo_sidat.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ba739632-11db-41f7-a023-683a20e55d36.filesusr.com/ugd/99835b_71ef83fbc3b14e75a41dc29a32df21e4.pdf?index=true
    • https://78fa80b2-8629-447b-ad63-53e91e8d4948.filesusr.com/ugd/8f02de_4b09d73724e449e18628ad81f4ba20c9.pdf?index=true
    • http://jozilaro.atwebpages.com/agile_software_development_robert_c_martin.pdf
    • https://d046670e-94b8-4ea2-8efc-69fca9b502c9.filesusr.com/ugd/c0b427_66ad818b9a5e4dce8aa2f4a203ace5d1.pdf?index=true
    • https://31e64076-56b3-4e53-9780-179364fbad2f.filesusr.com/ugd/d8d3cb_9eb07b7db59e4866bb1e6f65e7d238a7.pdf?index=true
    • https://7031c68c-cf47-488c-b9bd-b344696616f5.filesusr.com/ugd/51e9e9_032292a4df0f4fe5825e6af3a84b5f7d.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2c7.bin
7302e103d0609a4cfcbfa579fd94a14d20d621d9da629aaa68d4bf36e104ef38		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2C7 6152 bytes
font_01_sfnt_off000107d1.bin
f79e751ef2b70ef8ac7a782e3fb703a25a945b49da32ad24924bc71e39dd69cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107D1 5248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.