Malicious PDF — malware analysis report

Static analysis result for SHA-256 657c639a32694277…

MALICIOUS

PDF

76.3 KB Created: 2021-03-29 21:25:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f5813ac8374246c76356c7cb52da1243 SHA-1: e31c41e4862cbae4da15b51eb7bd34b16fc1870c SHA-256: 657c639a326942777300a7ff5d4fd117a9cc9fe0def0ba87831a64d2ba847486
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to benign-looking PDF files, suggesting a link farm or SEO poisoning tactic. One of the primary external links, 'https://druttle.ru/award?keyword=bank+rating+methodology+pdf', is suspicious and likely leads to a phishing or malware distribution site. The ClamAV detection and ML classifier further support the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9807

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=bank+rating+methodology+pdf
    • https://cdn.sqhk.co/firijanab/jeFE7ic/zodugexas.pdf
    • https://cdn.sqhk.co/voxobidivel/gfkhdhc/gonodexini.pdf
    • https://cdn.sqhk.co/naliwanik/jgQEhj2/wazijurirasapopabi.pdf
    • https://cdn.sqhk.co/guzowozuk/ia3CDgj/66327763583.pdf
    • https://cdn.sqhk.co/vumuwilaj/djj1nsp/let_s_keep_the_ball_rolling_means.pdf
    • https://cdn-cms.f-static.net/uploads/4408984/normal_605fa4dcce759.pdf
    • https://cdn-cms.f-static.net/uploads/4380384/normal_603afc1f9c90f.pdf
    • https://cdn-cms.f-static.net/uploads/4480904/normal_604c9af467567.pdf
    • https://cdn-cms.f-static.net/uploads/4420617/normal_603cacf6073c4.pdf
    • https://cdn-cms.f-static.net/uploads/4479212/normal_6032a67ccb9ab.pdf
    • https://static.s123-cdn-static.com/uploads/4494146/normal_6008a55cc4686.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d1b14f5f-56fb-4baa-b0e1-603ef77ddb15/topunawini.pdf
    • https://a84030a7-2e48-4039-807a-383e2b7216cc.filesusr.com/ugd/c5d40f_f760aebc102845889178d3470cbc5f1a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/975fe1e5-69cd-4fee-9e3a-311580973c51/jigofipovivitokejubejoja.pdf
    • https://cd753cf5-d90a-4073-9c55-931a76e81761.filesusr.com/ugd/8826df_a666fcb830b44d88883ca0cb1d15b514.pdf?index=true
    • https://ef2e072a-e8a2-4438-804d-cc750be2e2f6.filesusr.com/ugd/6a22cb_a55f4601056d43e69a488e43311a2289.pdf?index=true
    • https://uploads.strikinglycdn.com/files/02d0c3ac-4716-48f7-b109-4003a0ad9c08/7_habitos_de_la_gente_altamente_efectiva_audiolibro_descargar.pdf
    • https://uploads.strikinglycdn.com/files/23259f8d-f35b-45db-be60-93b836995f4f/43525893535.pdf
    • https://uploads.strikinglycdn.com/files/7aa95002-9db8-48b9-bab6-a9b07ff2df42/saletokoxalofazalizivexi.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010714.bin
a92327c6dbb1adcb7c5952165796c3a1acd66dccfe082d53974bb5d6cabc9d11		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10714 5492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.