Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ac059e638c1ef73…

MALICIOUS

PDF

106.3 KB Created: 2021-06-05 11:43:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4949bda563dba79ffcf57926a44073b4 SHA-1: d4315ea34486b3d1ac8152eee527f21afbf3f452 SHA-256: 4ac059e638c1ef73f6ab4d584606cf4c29814f2c853c100f6827ba0d80366865
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to PDF files with numeric slugs, indicative of a link farm or SEO spam. The ClamAV detection as 'Pdf.Phishing.Trojan' and the presence of numerous external URLs strongly suggest a malicious intent, likely phishing or malware distribution. No scripts were extracted, but the PDF structure itself is used to host and link to external content.

Machine Learning

  • Nyx PDF Classifier clean score 0.0839

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/pbw?utm_term=what+do+the+codes+mean+on+the+pulse+point+app
    • https://pobasejedewepiz.weebly.com/uploads/1/3/4/0/134017346/3631916.pdf
    • https://cdn-cms.f-static.net/uploads/4383586/normal_6030e0ba02095.pdf
    • https://rokojilezel.weebly.com/uploads/1/3/2/3/132302907/5070374.pdf
    • https://sogorowov.weebly.com/uploads/1/3/4/4/134475374/76eb34.pdf
    • https://cdn-cms.f-static.net/uploads/4456391/normal_601db63595225.pdf
    • https://cdn-cms.f-static.net/uploads/4408172/normal_603b10d637121.pdf
    • https://static.s123-cdn-static.com/uploads/4481847/normal_5fe2aa3ca07b1.pdf
    • https://cdn-cms.f-static.net/uploads/4480899/normal_6065c45b06e44.pdf
    • https://static.s123-cdn-static.com/uploads/4421767/normal_5fc67e32169c7.pdf
    • https://static.s123-cdn-static.com/uploads/4411682/normal_5fe15c94a36ed.pdf
    • https://zefisazivite.weebly.com/uploads/1/3/5/3/135314851/9621917.pdf
    • https://cdn-cms.f-static.net/uploads/4486521/normal_602a174e5d053.pdf
    • https://static.s123-cdn-static.com/uploads/4412758/normal_5ff7135b68092.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8be3cfc5-98bf-4891-a53a-a2ed31d9d1ab/66123879959.pdf
    • https://uploads.strikinglycdn.com/files/9253cec0-4868-4301-be65-25291df6840c/la_amortajada_descargar_gratis.pdf
    • http://zigunef.pbworks.com/w/file/fetch/144641433/59925526194.pdf
    • https://uploads.strikinglycdn.com/files/b3960e91-0fe8-4215-a486-79ef42d60ad8/ratios_proportions_worksheets_7th_grade.pdf
    • https://uploads.strikinglycdn.com/files/e48f5906-1d8f-4f0d-b20e-840cb74fac1b/27010193932.pdf
    • https://uploads.strikinglycdn.com/files/cb01539c-d490-4134-9f8f-0614903b7e3c/jaxatibofuxozebuzekub.pdf
    • https://uploads.strikinglycdn.com/files/78f20a4b-5421-4f33-822e-7f0461f21179/alphatrak_2_test_strips_petco.pdf
    • https://uploads.strikinglycdn.com/files/bb575d43-07a4-42c6-87fb-628846a000d7/toshiba_satellite_l755-s5216_specs.pdf
    • http://sejiliki.pbworks.com/f/journey_2_the_mysterious_island_in_hindi_hd_download.pdf
    • https://uploads.strikinglycdn.com/files/d5451bcc-3076-404f-9ca0-0be94f3c6c70/structures_or_why_things_dont_fall_down_wiki.pdf
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001470d.bin
a95d63fca50b4c71399b489fcfffbb830bcf756823c53e6a8693c425460d1a18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1470D 1928 bytes
font_01_sfnt_off00014f77.bin
ff808e2711519b19cb1548064acf3c0e10a84f06bf2684da34924e448da09253		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14F77 5232 bytes
font_02_sfnt_off00016128.bin
6f251ba019474549aa1e8304b35bc8832e475fd0bb7b242a925518298bd76790		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16128 2156 bytes
font_03_sfnt_off00016a5d.bin
91a6efcf3b6cb5e335e5e500979684279756bda57de347381d35eb264fb7742f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16A5D 13148 bytes
font_04_sfnt_off000196d6.bin
e519f4e4ac6d9b0f57dce0c0d49b484e4d1d842646fa75230b4829220ba81c73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x196D6 16140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.