Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f4221ff516cfcde…

MALICIOUS

PDF

58.6 KB Created: 2021-03-09 00:03:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45e3eceb2e1467f89b366f239c0d0e67 SHA-1: 63b62d5984dff98a633a4288a5f6e5bd93432587 SHA-256: 5f4221ff516cfcde138636f32e3277ac28487ace13f557c64210c45a6ac8a946
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external URLs, with one specifically flagged as a link farm on disposable hosting, suggesting a phishing or redirection scheme. The PDF structure and embedded URIs point towards an attempt to direct users to potentially harmful external content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9734

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/aws?utm_term=sundance+spas+manual+cameo
    • https://cdn-cms.f-static.net/uploads/4380531/normal_5fe8deca7ba17.pdf
    • https://cdn.sqhk.co/woferomot/eogf6JC/sukeluwasebizak.pdf
    • http://helpcontactform.com/android_game_hacker_software_for_pcrhja8.pdf
    • http://biomaniix.website/salat_al_istikhara_signsp2zz7.pdf
    • http://7lessons.fun/wuzamoje30g6s.pdf
    • https://static.s123-cdn-static.com/uploads/4365627/normal_5fcd80b117d95.pdf
    • http://vekisonoloze.sportsontheweb.net/jiwusifevakimati.pdf
    • http://instup.xyz/gemamigalegam35mp.pdf
    • http://fafijitesulexiz.mygamesonline.org/how_to_use_a_washer_dryer_combo.pdf
    • https://cdn.sqhk.co/jomububorava/idLJjdX/lapobuwogiwe.pdf
    • http://constructionhouse.info/what_careers_can_you_get_with_a_materials_science_degree0m6qm.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://mawidinivetobi.myartsonline.com/zolosedozule.pdf
    • https://7e073981-ad1c-4081-8dc0-76946ba36063.filesusr.com/ugd/c4f63d_9d82b59d3ad041dba4f6e29e566f1056.pdf?index=true
    • https://ee42ee57-4547-4a8c-8a66-6cccb7f6869d.filesusr.com/ugd/2a9ad2_93e204f7d5054c85a70bc83894a463a5.pdf?index=true
    • https://01c4c9a3-ee74-4db9-a65d-799443b8dbf1.filesusr.com/ugd/a64c8c_a670ba6721be49eca16d8665865852c1.pdf?index=true
    • https://a2214900-82f6-4ed5-a432-d5ffd14110fa.filesusr.com/ugd/306b6b_9a804b57865a475893729d0ceccfebb8.pdf?index=true
    • https://2ddedb0e-b7b0-41c9-a8bc-c018bd0e6e4c.filesusr.com/ugd/70094d_09310faff9df4e819a8ef80d4921db4e.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc79.bin
08082657386c0eb6e071b31bc268e1c1824a8eb7db6ea600108572ab17b20dba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC79 5224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.