Malicious PDF — malware analysis report

Static analysis result for SHA-256 51220f628ebb79ef…

MALICIOUS

PDF

65.9 KB Created: 2021-05-20 20:41:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10
MD5: 206aa8d7b3725af1a30e035a634844f1 SHA-1: a43b31e9288ca48aeca89d16ceac8ff22c1eb4b2 SHA-256: 51220f628ebb79ef188cfebb9d9854189ca7d7018e3c8131366bc5f53945c03a
242 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many pointing to disposable hosting or known redirectors, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a malicious document designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9473

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/wb?keyword=cobra%2029%20nw%20ltd%20classic%20antenna%20warning%20light In PDF document text
    • https://static.s123-cdn-static.com/uploads/4465128/normal_5fe4ef09b97ee.pdfIn PDF document text
    • https://kegigotunexopiw.weebly.com/uploads/1/3/4/4/134400153/kurenado_sezer_vuxozitulena.pdfIn PDF document text
    • https://nibasekugi.weebly.com/uploads/1/3/1/0/131070633/lojawof-padogikumilusix-dovidiz.pdfIn PDF document text
    • https://goguzosuv.weebly.com/uploads/1/3/5/3/135343726/7cf993.pdfIn PDF document text
    • https://letenotej.weebly.com/uploads/1/3/4/5/134595585/8663939.pdfIn PDF document text
    • https://tejukazirinari.weebly.com/uploads/1/3/1/3/131398521/refezitasoxe.pdfIn PDF document text
    • https://muwikoli.weebly.com/uploads/1/3/2/7/132740525/vujifimidafalem.pdfIn PDF document text
    • https://revegeworosopo.weebly.com/uploads/1/3/1/6/131637057/xerufot.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4463565/normal_5ff4da1ad32d1.pdfIn PDF document text
    • https://meboguvogo.weebly.com/uploads/1/3/1/4/131437667/xorunod_xexolobid_tojizujogopor_tegenibi.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4376602/normal_5fcb6b9c07487.pdfIn PDF document text
    • https://gapojusegora.weebly.com/uploads/1/3/1/4/131408170/0e63599c1a7c80d.pdfIn PDF document text
    • https://zoredufuno.weebly.com/uploads/1/3/4/6/134638801/d4b1c3d6e94bde7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414166/normal_606b351e3a060.pdfIn PDF document text
    • https://favurujovonelod.weebly.com/uploads/1/3/4/4/134435517/petamanekejusif.pdfIn PDF document text
    • https://pegogelixuj.weebly.com/uploads/1/3/0/8/130813965/nenebazex-tuzapunezigula-jorumurutuzo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407069/normal_602a352f78f2c.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/kukupunopedon/99069830902.pdfIn PDF document text
    • https://s3.amazonaws.com/titugome/briggs_and_stratton_vanguard_engine_problems.pdfIn PDF document text
    • https://s3.amazonaws.com/benubapopikaj/badli_badli_lage_ringtone_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d9469013-5df7-46da-b4bb-ccebdc85dba2/93590780327.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/576b0413-0032-47f9-9cc0-cc2b9f6f09a4/zejepexemufatil.pdfIn PDF document text
    • https://s3.amazonaws.com/navoburarovada/fortnite_background_ps4.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7e9b5b8c-cd81-4d6c-bd8f-e05a3c4df02c/mit_solid_state_physics_lecture_notes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/af4fb79f-0573-4c5b-bcd0-da883e8b4830/razer_blackwidow_ultimate_2016_drivers.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f216.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF216 5532 bytes
SHA-256: aba1a37c99dcbaa8870d16f266700aac6a5d575cffaab4eefc0a4902064b0c9c

Open this report in the interactive analyzer, or submit your own file for analysis.