Malicious PDF — malware analysis report

Static analysis result for SHA-256 55cc0358b42352dc…

MALICIOUS

PDF

112.0 KB Created: 2021-02-19 23:00:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-07
MD5: 0bf6266b73ae3cdbf603be5d1e004144 SHA-1: b141dc3ebee3b4456d8aa7d4db9db49337a2acf0 SHA-256: 55cc0358b42352dc47fdb5ddbad909e8ad2e6ac7d73ab6158d1509fbd55413ef
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF link farm', suggesting a malicious intent to redirect users. The ClamAV detection and ML classifier further support its malicious nature. While no scripts were explicitly extracted, the PDF structure and embedded URIs indicate a phishing or SEO manipulation attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9269

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/strik?utm_term=what+is+fourth+wave+feminism+fighting+for PDF link annotation
    • https://cdn.sqhk.co/tireronerogo/Vybz2hh/london_bridge_hd_wallpaper_for_laptop.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367921/normal_602d8f2111688.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4460708/normal_5fe0bca36b3d0.pdfIn PDF document text
    • http://lamovingcompany.com/73397641736l9ppb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379048/normal_600dd100aaee5.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4412378/normal_5fcf4c413b236.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4446923/normal_5ff9311e88acd.pdfIn PDF document text
    • http://particulier-societegenerale.xyz/napikaycfk3.pdfIn PDF document text
    • https://tifimiwarefimi.weebly.com/uploads/1/3/4/8/134895051/85b95.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417405/normal_600cb40ed0eef.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://bojedujob.rf.gd/extentia_group_annual_report.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00019c14.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19C14 5312 bytes
SHA-256: 3f473dc3a8b7524d018cf61c7bbdd162ac8080010c57f9fa431a9d77a407ebea