Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b06e23d5c4ee1a1…

MALICIOUS

PDF

68.0 KB Created: 2021-06-10 08:31:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 53dfaede525190521e23d576da6975cf SHA-1: bf3e2548a068f70d363402f86b625b299e155836 SHA-256: 5b06e23d5c4ee1a1b0d8e95f5bcb40939019c4383f633899344d7eb85ea39057
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded URLs, with a primary focus on redirecting users to a site offering an 'frp google account apk'. This suggests a phishing or credential harvesting attempt, likely disguised as a tool to bypass Google account restrictions. The presence of numerous links to disposable hosting services and the ML classifier's high confidence score further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8336

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/pbw?utm_term=frp+google+account+apk
    • https://zixavuxo.weebly.com/uploads/1/3/1/3/131398386/1416036.pdf
    • https://wifusudufasebo.weebly.com/uploads/1/3/5/9/135992472/sozazitiva.pdf
    • https://gobumireg.weebly.com/uploads/1/3/1/3/131383916/xoxipa_bisosajidige.pdf
    • https://bazubipevudupu.weebly.com/uploads/1/3/4/8/134876407/fusudadonomoti.pdf
    • https://wawukonuxoni.weebly.com/uploads/1/3/4/0/134095992/judagijovotewudevu.pdf
    • https://vomuzubedabop.weebly.com/uploads/1/3/0/9/130969103/fe360ca1.pdf
    • https://vuvuzuvikedatun.weebly.com/uploads/1/3/4/5/134529562/bolefijumibarebaw.pdf
    • https://vinifobak.weebly.com/uploads/1/3/5/2/135298549/dewawu_xuwov_womixujosawibag_woxadi.pdf
    • https://xixivejeb.weebly.com/uploads/1/3/4/6/134603549/8088417.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/1f545ca2-3d6f-4f53-a883-de8ffedfacd9/market_wizards_book_review.pdf
    • https://uploads.strikinglycdn.com/files/cf86878c-a396-4b05-beb8-ab4f659dfd67/72148912405.pdf
    • http://lekadebixe.pbworks.com/f/41960944104.pdf
    • http://gurilotav.pbworks.com/w/file/fetch/144823758/how_to_switch_google_to_dark_mode_pc.pdf
    • https://uploads.strikinglycdn.com/files/794d963f-a056-40a2-b10e-36b1c2e1c002/5390472032.pdf
    • http://ziduzobif.pbworks.com/f/harry_potter_and_the_order_of_the_phoenix_pc_game_review.pdf
    • http://bojifimaral.pbworks.com/f/bulunevuvet.pdf
    • https://uploads.strikinglycdn.com/files/71d57db4-e0f6-4109-9c91-f23d24b1dc3d/zabodamepu.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3c6.bin
02fe79ea1d7bc99ec1a08f186ec1c081e10d4b21bd410f11feacbde89a88e76e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3C6 4940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.