Malicious PDF — malware analysis report

Static analysis result for SHA-256 65e3b1bb5da4c79f…

MALICIOUS

PDF

80.4 KB Created: 2021-03-27 14:02:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 9980d939bff5fd055579ba1de91f394c SHA-1: 71d055f8b4808a13ddd3d48d02b9cde88c9e2b41 SHA-256: 65e3b1bb5da4c79f7a7ab38829694951e38a220658a615b4a50388c57fc789e1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are hosted on suspicious domains or use generic filenames, indicating a link farm or SEO spam tactic. The ClamAV detection and ML classifier also flagged this file as malicious, specifically as a phishing trojan. While no scripts were extracted, the presence of numerous external links suggests an attempt to redirect the user to malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8071

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=codex+adeptus+custodes+pdf+v8 PDF link annotation
    • https://cdn.sqhk.co/kixagixupo/Pchipmq/jekemigonu.pdfIn PDF document text
    • https://cdn.sqhk.co/modonasuje/heghgKd/flat_pack_kitchen_cabinets_online.pdfIn PDF document text
    • https://cdn.sqhk.co/muwazubivotu/6hvjabD/mythwars_puzzles_rpg_match_3.pdfIn PDF document text
    • https://cdn.sqhk.co/livukigelo/iW8jeig/top_100_bollywood_songs_2019.pdfIn PDF document text
    • https://cdn.sqhk.co/lijipatalenu/HgcqidG/bukaweno.pdfIn PDF document text
    • https://noloxuxema.weebly.com/uploads/1/3/1/4/131453633/2692822.pdfIn PDF document text
    • https://cdn.sqhk.co/desogepupema/ajehjcN/16285539748.pdfIn PDF document text
    • https://cdn.sqhk.co/kulobibab/jSjdPmz/vetaxarapik.pdfIn PDF document text
    • https://cdn.sqhk.co/lubigegek/cyljfii/island_of_war_2_game_size.pdfIn PDF document text
    • https://cdn.sqhk.co/tufiroxova/jRhb0ty/83707563977.pdfIn PDF document text
    • https://mijevofere.weebly.com/uploads/1/3/1/6/131606011/7f85dfc6.pdfIn PDF document text
    • https://cdn.sqhk.co/pagozixupezi/gTrVjer/39239565953.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/falevi/zimuzuviwadumukifop.pdfIn PDF document text
    • https://s3.amazonaws.com/jupudizadid/adobe_captivate_9_free_trial.pdfIn PDF document text
    • https://s3.amazonaws.com/sazomo/acute_pancreatitis_guidelines_2018_acg.pdfIn PDF document text
    • https://s3.amazonaws.com/muxozuvalubi/wipiv.pdfIn PDF document text
    • https://s3.amazonaws.com/gifojuxaxeva/64379708569.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5b00c299-9b49-4e54-ac89-5d7d0311a557/what_if_my_address_is_wrong_on_google_maps.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4d35cb33-ce34-4e3f-973c-e760925b3a83/zatoxabamalomaja.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010d07.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D07 5248 bytes
SHA-256: 9d09f3e8318cd38c47951d6a5274c980f2986522fa246c5efea66711fe499b34
font_01_sfnt_off00011f03.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11F03 11228 bytes
SHA-256: 204e55d3133bc9e3b73c0666d5ecd4f988c6e3c7741a414cc5a6fe994ba9f113