Malicious PDF — malware analysis report

Static analysis result for SHA-256 52d66628131c8b95…

MALICIOUS

PDF

67.6 KB Created: 2021-03-22 12:36:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ee392aaad258b9b96222469f8d77ad46 SHA-1: 010b8e07da394d1997fda0dcc6b2c1bec8213e28 SHA-256: 52d66628131c8b95281b6a36a8eb6087ec841827bc4baa6c5fd96cde6264c74c
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains a large number of external links, many of which point to other PDF documents. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute further malicious content. ClamAV detected this file as 'Pdf.Phishing.Trojan-d2568dad23a94d95', suggesting a phishing or trojan-like intent. The presence of numerous external links and the ClamAV detection strongly suggest a malicious purpose, likely involving directing users to harmful sites or files.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5589

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/aws?utm_term=how+to+organize+community+service+projects
    • https://duvogepemib.weebly.com/uploads/1/3/5/3/135315067/9546538.pdf
    • https://zizopozuwugova.weebly.com/uploads/1/3/0/7/130775786/489637.pdf
    • https://cdn-cms.f-static.net/uploads/4412394/normal_5fea3695f106d.pdf
    • https://fuxovibafisiboj.weebly.com/uploads/1/3/0/8/130874455/7772161.pdf
    • https://dozexida.weebly.com/uploads/1/3/4/5/134590021/b0409e0e65.pdf
    • https://static.s123-cdn-static.com/uploads/4411229/normal_5fdef54d4fe13.pdf
    • https://mofugitapab.weebly.com/uploads/1/3/4/7/134728490/vavanu-lufamaxonivu-jiwajupexatamu-pasajivevutom.pdf
    • https://cdn-cms.f-static.net/uploads/4371536/normal_602bf585e7b1b.pdf
    • https://dolilifiwu.weebly.com/uploads/1/3/4/4/134401054/6ad890a3c.pdf
    • https://cdn-cms.f-static.net/uploads/4457563/normal_602804c09967b.pdf
    • https://cdn-cms.f-static.net/uploads/4368997/normal_601ac7345292d.pdf
    • https://minileponefij.weebly.com/uploads/1/3/1/0/131070526/xizadaw_tovedeme_titifaven_sutoxitod.pdf
    • https://tiselewo.weebly.com/uploads/1/3/1/6/131606631/9b44275048c87.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/varolexexus/97645133678.pdf
    • https://uploads.strikinglycdn.com/files/e4d50564-6374-4586-92b5-15079e82065b/honda_power_washer_parts_gcv190.pdf
    • https://720c7b34-a033-4bf0-83ea-6be17de98aa2.filesusr.com/ugd/03ef8e_c2dad2152bdc4c9bb1a2b082226a7b32.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4e9eae88-000a-4f01-9b47-1f318ac2de92/bisalirobizimifugebo.pdf
    • https://uploads.strikinglycdn.com/files/6482e409-2bb5-4ca6-af90-8e1188c4b0d1/mibufonipiru.pdf
    • https://uploads.strikinglycdn.com/files/86ad3177-2c13-4f6f-a482-c95a16c45eed/things_wrong_with_american_girl_dolls_are_retired.pdf
    • https://7211abc3-b26e-437e-abd8-8a8c7ebd4af5.filesusr.com/ugd/0683fb_b3c89eaab3eb483f897102a22f32152c.pdf?index=true
    • https://ebc1add8-0b9d-418e-9e4a-1e287827e933.filesusr.com/ugd/ab63e3_0a431308e77d4f2fb3b099e7518b3920.pdf?index=true
    • https://uploads.strikinglycdn.com/files/43a1d0e0-bcfc-4192-823e-41d19ffc4c04/7558194307.pdf
    • https://s3.amazonaws.com/wezukep/industrial_revolution_dbq_answers.pdf
    • https://s3.amazonaws.com/zijivevip/chillara_gang_full_song.pdf
    • https://s3.amazonaws.com/nigimul/81447689771.pdf
    • https://4d75d3c9-3a4d-4df6-84ab-e48b83d723e5.filesusr.com/ugd/cdb50c_0ba5c945d6684d8f948d9fc3de96a452.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001007b.bin
c928edb11a4713b3fc47cf91d63f157b6a6eff79cab35a501e1ee09ac5632410		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1007B 5564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.