Malicious PDF — malware analysis report

Static analysis result for SHA-256 50fddd57a577844e…

MALICIOUS

PDF

62.4 KB Created: 2021-06-04 04:43:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8553e6267332d46b55d3f6145efc779c SHA-1: 536ad782284cd85a229d7d3c7ff394d4357956a0 SHA-256: 50fddd57a577844efbb57ebe994e69cd61ec15820f148d0e9c22cd34742a19c0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or malware distribution attempt. It contains a large number of external links, many of which are to benign-looking documents, suggesting a link farm or SEO poisoning tactic to mask malicious intent. The primary malicious URL identified is 'https://queure.ru/pbw?utm_term=dressmaker+ii+sewing+machine+instruction+manual', which is likely used to host or redirect to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8081

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/pbw?utm_term=dressmaker+ii+sewing+machine+instruction+manual
    • https://bejuzozomixur.weebly.com/uploads/1/3/5/9/135966319/jonifakanedova.pdf
    • https://pururejipe.weebly.com/uploads/1/3/4/2/134265449/bitem_xezulexa.pdf
    • https://cdn-cms.f-static.net/uploads/4366369/normal_60269c2801f17.pdf
    • https://nusewuna.weebly.com/uploads/1/3/4/0/134096348/topaba-faminug-dotot.pdf
    • https://xonatiwomunonow.weebly.com/uploads/1/3/1/8/131856992/218d89.pdf
    • https://rixilokif.weebly.com/uploads/1/3/4/1/134109141/010223dce7.pdf
    • https://cdn-cms.f-static.net/uploads/4419452/normal_601aa21ff156a.pdf
    • https://kabenodetaxixum.weebly.com/uploads/1/3/4/7/134754863/1804571.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ca3a8178-4d44-4610-b808-3c01c2a7bd5e/superficial_vein_thrombosis_treatment_uptodate.pdf
    • http://fuxedemama.pbworks.com/f/wakumune.pdf
    • https://uploads.strikinglycdn.com/files/4497032f-5540-4ae2-852e-c2536d41f20c/honda_transmission_fluid_change_mileage.pdf
    • http://lekuzax.pbworks.com/w/file/fetch/144417405/sexotawo.pdf
    • http://juwelite.pbworks.com/f/yardworks_lawn_mower_manual.pdf
    • https://uploads.strikinglycdn.com/files/145e81f8-6b17-468d-9cbc-7ad770348ab1/89508408252.pdf
    • https://uploads.strikinglycdn.com/files/b2dc94a0-cee6-4ea1-b0ab-24f95acc9da6/pagosifenonijejefo.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c8ee.bin
73dfff16b5495cea41a78a7c7f284650fcf99fa80016ac0c12b390e420bc2ed2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC8EE 5368 bytes
font_01_sfnt_off0000db22.bin
d14f6ee55e91cb1c1ad479c7523b499c0079e50fca8fd9b230df515ebf4ded64		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB22 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.