Malicious PDF — malware analysis report

Static analysis result for SHA-256 67195954f002d224…

MALICIOUS

PDF

69.5 KB Created: 2021-03-27 18:34:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8a6dd44b1200383ac3cd8565ea29ff4f SHA-1: d88dd27ee75f3965e24d4c8e3d69079c117ac87c SHA-256: 67195954f002d224679e0fd55bbf6366406d6ffab220593bb3ad49d928a58f07
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to suspicious domains, suggesting a link farm or phishing attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded links are indicative of a malicious document designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9620

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/award?keyword=hernia+hiatal+tratamiento+quirurgico+pdf
    • https://zefilezagomi.weebly.com/uploads/1/3/4/4/134474677/sitanejikevufotugud.pdf
    • http://fabermanufacture.ru/weider_pro_9940_weight_set8uidz.pdf
    • http://itawegan.space/bigesixikin1nyyo.pdf
    • https://dewazolasimuf.weebly.com/uploads/1/3/1/4/131453174/9280306.pdf
    • http://dabopoxele.getenjoyment.net/zifiwubefutoxojexi.pdf
    • http://raisinshub.pro/jevobamoxovojedaksr7v4.pdf
    • http://agent-ritual495.online/tivaromapozasujryhmo.pdf
    • https://dubekanenek.weebly.com/uploads/1/3/3/9/133997540/ad568ff8223bc24.pdf
    • https://rewazute.weebly.com/uploads/1/3/4/6/134648352/72c45de36.pdf
    • https://juvuvekogowara.weebly.com/uploads/1/3/1/8/131856935/ada0db.pdf
    • https://static.s123-cdn-static.com/uploads/4477863/normal_5ff44e990c58d.pdf
    • http://gujozulogisin.scienceontheweb.net/amino_acids.pdf
    • http://xikapajami.mypressonline.com/breve_storia_della_letteratura_italiana.pdf
    • https://fuzonigeli.weebly.com/uploads/1/3/0/8/130813785/412708.pdf
    • https://cdn-cms.f-static.net/uploads/4448727/normal_603ce72be0d16.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/23949cb9-4cac-4fa2-bbd9-a05a4400595c/best_free_online_diary_app_android.pdf
    • https://uploads.strikinglycdn.com/files/4e1c9eb0-a70b-432c-984d-9c5babeaab3e/how_can_i_tell_what_model_my_kindle_fire_is.pdf
    • https://uploads.strikinglycdn.com/files/31305758-702d-4664-af60-14e2ab90aed8/new_york_city_on_united_states_map.pdf
    • https://uploads.strikinglycdn.com/files/8ca83c73-4b4f-43e7-981f-7a590b95f7e8/the_bloody_chamber_by_angela_carter.pdf
    • https://uploads.strikinglycdn.com/files/081a5556-1086-4d78-8242-f7ba8870814c/nejapugimumipalok.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2a0.bin
6d8cdc2e6ceb1ca43da86a0e16327cd2b1c2c7dda6d8923c838ca53d9dc5f57d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2A0 5360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.