Malicious PDF — malware analysis report

Static analysis result for SHA-256 53bfd1e957132beb…

MALICIOUS

PDF

68.1 KB Created: 2021-04-01 07:32:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e8865d77a1097b0a7bd4996f6320c75a SHA-1: 4b73dc0f35f16ff2e89bf7753cb6d0a6eb60950f SHA-256: 53bfd1e957132beb6702bd6c450ab12581b2ab58b5b971609ea695be86607b6c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a link farm. One of the primary URLs, 'https://dafemum.ru/award?keyword=cv+making+pdf', suggests a lure related to CV creation. The ClamAV detection and ML classifier output strongly indicate malicious intent, likely for phishing or distributing further malware. No scripts were extracted, but the PDF structure itself facilitates redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9704

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=cv+making+pdf
    • https://firalikagux.weebly.com/uploads/1/3/2/7/132740609/petulaju.pdf
    • https://wujipiledulom.weebly.com/uploads/1/3/4/6/134695719/61f242f8.pdf
    • https://cdn-cms.f-static.net/uploads/4486521/normal_6014cf1742650.pdf
    • https://rasaputale.weebly.com/uploads/1/3/5/3/135323831/6775493.pdf
    • https://static.s123-cdn-static.com/uploads/4480884/normal_5fdf0d013911d.pdf
    • https://cdn-cms.f-static.net/uploads/4444638/normal_60414ed0c9fea.pdf
    • https://pobipumobixox.weebly.com/uploads/1/3/1/0/131070364/mofesajufexemep_gugolubisa.pdf
    • http://voxamuzovo.22web.org/94003460403.pdf
    • https://sibevuguz.weebly.com/uploads/1/3/4/8/134859718/nepedulogagupop.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://volemefejosi.rf.gd/vawawixefijisazujamevo.pdf
    • https://s3.amazonaws.com/vonutavekip/wijinij.pdf
    • https://s3.amazonaws.com/luramamelolem/can_you_afford_to_retire_worksheet.pdf
    • https://3f7ff619-1e23-491c-a925-ddda4d79b49c.filesusr.com/ugd/79c22a_547f1119f68f4aebb7ae778dece2b520.pdf?index=true
    • https://s3.amazonaws.com/fazujo/coroplast_sheets_cut.pdf
    • https://76df98a8-3e94-4eee-a6f5-23e1de06049b.filesusr.com/ugd/54c74c_a7f474d9ffd44df8a7300dbe4c749bb3.pdf?index=true
    • https://8eefcaf3-52f5-4123-8be5-b1f0aaeea45e.filesusr.com/ugd/1d3654_09782cfe8f764d06925a0d760db46470.pdf?index=true
    • https://s3.amazonaws.com/kukazowox/sasazopofo.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f346.bin
ca4f2f22287d0940d247cb43e7e042e69e5a0bf79aa2e63d91e7c829dea1ed2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF346 5084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.