Malicious PDF — malware analysis report

Static analysis result for SHA-256 630629c17dbf4195…

MALICIOUS

PDF

83.2 KB Created: 2021-03-22 18:48:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2a91b2dc6f6cd047feeb1f78172ce3c7 SHA-1: 70f65d94efd6fc693f8184077cf5cc05ba7bef4b SHA-256: 630629c17dbf41951eb88384967748721cd00fef445e76de34389d53ccee7b51
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, suggesting a link farm or phishing attempt disguised as a document about food blanching. The ClamAV detection and ML classifier indicate malicious intent, likely to redirect users to malicious sites. No scripts were extracted, but the PDF structure itself is indicative of a malicious lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6094

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=blanching+of+food+pdf
    • https://xixusumer.weebly.com/uploads/1/3/0/8/130814933/bexitofu.pdf
    • http://logmeinnow.xyz/what_does_dr_berg_eatido7j.pdf
    • https://bagawilikazukir.weebly.com/uploads/1/3/1/0/131070307/murabojijigorap.pdf
    • https://cdn.sqhk.co/munenetifu/heCdMje/assalamu_alaikum_assalam_song.pdf
    • https://xigobelez.weebly.com/uploads/1/3/1/6/131606473/ravenafidevif-sikuxogatoxulaz-fimoketur-wusalurizipo.pdf
    • http://geosen.net/fake_gps_location_donate_pro_apkaymuk.pdf
    • http://vosajizegek.mypressonline.com/19533519917.pdf
    • https://jononosafopobof.weebly.com/uploads/1/3/4/6/134649788/fb271ec.pdf
    • https://fafenerukore.weebly.com/uploads/1/3/1/3/131398145/4c7f9e4afb3d941.pdf
    • https://cdn.sqhk.co/tixukiko/Uhfjhgc/37685933501.pdf
    • https://cdn.sqhk.co/tuwovado/mj4vieq/calendar_problem_solving_worksheets_for_grade_2.pdf
    • http://bikelumonekodex.mygamesonline.org/8062834761.pdf
    • http://vonexalux.sportsontheweb.net/55033785325.pdf
    • http://arevakar-travel.com/mine_engineering_courses_in_australia7mlvm.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://58552d80-c20c-4e4f-99b9-91bedbcc07a3.filesusr.com/ugd/c18496_96064d614eb74a0bb4fbc4190399fa40.pdf?index=true
    • http://nirobow.epizy.com/fepobevovuturisikozinudu.pdf
    • http://sopavame.onlinewebshop.net/benexudopafawavufakamaxa.pdf
    • https://827a6da4-a69c-4806-aaaa-db522494bc4d.filesusr.com/ugd/cb5916_a4c223ccd3e645f0b3cf1fc32517ab5a.pdf?index=true
    • https://0dd0cd87-80d3-4eb5-b9c6-73c43c3a6fca.filesusr.com/ugd/f0b6b3_d33d4d54160e41e3a520187486a0f21d.pdf?index=true
    • http://bifiwapaz.onlinewebshop.net/jojomoxigedukesodupedumav.pdf
    • http://parezuz.rf.gd/dimobijuwozavapenod.pdf
    • https://0404cab7-c021-4537-be79-420bcb2f88cc.filesusr.com/ugd/52c240_77e98bcae7364e01a73a0aaee385f7e2.pdf?index=true
    • http://budokukikaririd.rf.gd/how_to_export_tableau_dashboard_into_excel.pdf
    • https://77bac38d-831a-46d6-8f22-d7743fcadc58.filesusr.com/ugd/5b9a87_18593f4f7ead473bbe2b6b51ec0033ac.pdf?index=true
    • http://kipabiz.rf.gd/27157755125.pdf
    • http://losaxoxajav.epizy.com/pasurubosema.pdf
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f314.bin
b2efe0d705c54c6acb2763f4e7ec5b593c464be5c349e9a8d15568fc2f3b04e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF314 4784 bytes
font_01_sfnt_off00010342.bin
5fbf20260f3882311cb5999de104386cefd4b648ba22de1ba8e195f4df093e07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10342 11712 bytes
font_02_sfnt_off00012b3b.bin
541fa2b6826b0add99b7d5a173ef1e6a5567607b5192f75b810eb17d6a563501		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B3B 16204 bytes
font_03_sfnt_off00014069.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14069 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.