Malicious PDF — malware analysis report

Static analysis result for SHA-256 51c65fe12154fd4f…

MALICIOUS

PDF

79.6 KB Created: 2021-05-16 19:40:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: 381b71140989d0ef5344df06302e300e SHA-1: 204ee15a1af5ee1b996f5b1d38c6c839db5b1b74 SHA-256: 51c65fe12154fd4fd9cef4e78dadb266cf68bbf7282510b134c445454bd05d76
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, many pointing to disposable hosting, indicating it functions as a link farm. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' and the ClamAV detection 'Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0' strongly suggest a malicious intent, likely phishing or malware delivery. The primary IOC is the external URI pointing to 'https://jumiwimov.ru/strik?utm_term=fancy+calligraphy+alphabet+styles+from+a+to+z'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9476

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=fancy+calligraphy+alphabet+styles+from+a+to+z PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4500668/normal_600e5288f1ac7.pdfIn PDF document text
    • https://cdn.sqhk.co/porekige/gghgje6/most_popular_tiktok_music_video_songs.pdfIn PDF document text
    • https://cdn.sqhk.co/solalokazili/fFjihib/14578377717.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393772/normal_6036b621d9108.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4484995/normal_602a9ef495d58.pdfIn PDF document text
    • http://classicalnaturally.com/gegatimegudokigp5dxd.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4471513/normal_5fdfc6843130d.pdfIn PDF document text
    • http://uaregroup.com/lejedujxmz.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365649/normal_601cbaa82e224.pdfIn PDF document text
    • http://repair-monokoles.ru/character_creator_3_full_crackmtx9w.pdfIn PDF document text
    • https://cdn.sqhk.co/lewiwifo/joNbVgf/bad_piggies_mod_apk_sandbox.pdfIn PDF document text
    • https://cdn.sqhk.co/lilavokolet/ekgevhh/92458154255.pdfIn PDF document text
    • https://cdn.sqhk.co/losokifape/0dXq86e/ridolav.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/tumasun/dufesinagivuf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1180dc1b-6575-4037-862c-9b839ca5953d/45234998198.pdfIn PDF document text
    • https://s3.amazonaws.com/pegebunov/what_does_card_locked_mean_on_canon_camera.pdfIn PDF document text
    • https://8546b567-499d-44cb-812b-f4cb210fa0cc.filesusr.com/ugd/1f0b74_6e37c530559641fdaf5daa98ec9fbb1d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/8cd0b53b-32df-4c2c-b30b-08c03b169321/how_to_reset_ink_level_hp_2135.pdfIn PDF document text
    • https://s3.amazonaws.com/vatosolikijike/69238242437.pdfIn PDF document text
    • https://f8bd9030-4518-40b4-9047-d478e6ffc17b.filesusr.com/ugd/608fe2_b4a99f8d74944b9d8c718cc333e6f84e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/8900457a-8ce1-4288-a86f-eaa4c89b09d7/when_jesus_was_a_boy_lyrics.pdfIn PDF document text
    • https://3c1efe6f-6e34-41bb-a2c4-2be85dd3cb33.filesusr.com/ugd/41f880_8d9f11b7952a4bcfa7e068d26ab10c32.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/c56cc7b1-0bd2-4507-86fa-9fc108470703/que_es_la_neuralgia.pdfIn PDF document text
    • https://s3.amazonaws.com/zalomi/zowezukuduwavalupevinafa.pdfIn PDF document text
    • https://s3.amazonaws.com/sobaketemu/2244813871.pdfIn PDF document text
    • https://bad3f395-1638-4667-b349-d6f934eeab49.filesusr.com/ugd/ed2d23_f6a22f2d0c324d7dba1863404d1b1acd.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010c44.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10C44 5676 bytes
SHA-256: f2763146fac1f8496ab23fcdde84514006626defb10f4fc96d0b8e7405f89845
font_01_sfnt_off00011f7a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11F7A 10416 bytes
SHA-256: 4fb9590608ac49eefbbfe6ae8e10ef4ad40269875f546f1f9dd379a922e70a98

Open this report in the interactive analyzer, or submit your own file for analysis.