Malicious PDF — malware analysis report

Static analysis result for SHA-256 495062a4da6f88ec…

MALICIOUS

PDF

66.8 KB Created: 2021-04-03 18:32:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bcd2ba07c59ff29e812371e208fdf955 SHA-1: 67bc4923e2ed468363cca26b925a675396918334 SHA-256: 495062a4da6f88ec747d249c3e0b79ad8bc757417e49421d857f95cb75017a73
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are likely part of a link farm or SEO manipulation scheme, as indicated by the PDF_SEO_LINK_FARM heuristic. One of the primary external URIs points to a suspicious domain, suggesting a potential phishing or malware distribution attempt. The ML classifier and ClamAV detection further support the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9417

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/award?keyword=fmge+notes+pdf+download
    • https://lovarewido.weebly.com/uploads/1/3/4/3/134322716/degapora.pdf
    • https://wovugozota.weebly.com/uploads/1/3/2/6/132695813/1404056.pdf
    • https://midejunefe.weebly.com/uploads/1/3/5/4/135400465/rigamoz-wododepovozi.pdf
    • https://zejikato.weebly.com/uploads/1/3/3/9/133997407/fikuru.pdf
    • https://static.s123-cdn-static.com/uploads/4374211/normal_5fce30bf2d5f5.pdf
    • https://vexinafofonazes.weebly.com/uploads/1/3/1/8/131871992/9181960.pdf
    • https://static.s123-cdn-static.com/uploads/4464070/normal_5ff8f41e4bb29.pdf
    • https://gupufema.weebly.com/uploads/1/3/4/4/134456882/2498497.pdf
    • http://magowowir.iblogger.org/learning_advanced_english_vocabulary.pdf
    • https://xujopikaxatanow.weebly.com/uploads/1/3/4/8/134850499/wewetetifiz_jenunebagoveneb_pawobiv.pdf
    • https://cdn-cms.f-static.net/uploads/4392668/normal_600dbaaa9b458.pdf
    • https://cdn.sqhk.co/xibetevoxaj/13jeNsC/pekka_kana_2_android.pdf
    • https://vegekevovixo.weebly.com/uploads/1/3/1/4/131437475/1601488.pdf
    • https://cdn.sqhk.co/wejafivelij/ieexGha/unwind_lyrics_dub_fx.pdf
    • https://jodulimije.weebly.com/uploads/1/3/4/7/134732884/xipegaw.pdf
    • http://kowesawu.iblogger.org/62268476900.pdf
    • https://cdn-cms.f-static.net/uploads/4427077/normal_603152aa0b4c9.pdf
    • http://jadusugogawal.iblogger.org/bbc_bitesize_ks3_ict_spreadsheets_revision_1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kisagoz/83896080258.pdf
    • http://jupuluna.epizy.com/cashier_training_manual_template.pdf
    • https://s3.amazonaws.com/lizuseguwix/nuniwevodakoxuluxamozejun.pdf
    • http://zodadep.epizy.com/96394517409.pdf
    • https://s3.amazonaws.com/zerejibixupav/jewirekonuvopapevizijonen.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f68e.bin
c607b3bf0070b80efc4a54364ce85d009081841c74a01b86d70e5e4f53c01cbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF68E 5052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.