Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b5302627be0693e…

MALICIOUS

PDF

67.6 KB Created: 2021-04-04 22:57:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2c2c72fd785ea4361845d2a62a759ca8 SHA-1: ab391a7deb4b6745316a7de73f9c3accc5bd6dca SHA-256: 6b5302627be0693ec6a95bea356662d070d867d40a9f99f9e6d1a573104aa984
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it is a link farm on disposable hosting, with a high ML score and ClamAV detection as a phishing trojan. The embedded URL points to a domain associated with malicious activity, disguised as educational material. No scripts were extracted, but the PDF structure and external links suggest a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7697

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/aws?utm_term=ncert+practice+workbook+mathematics+class+6+pdf
    • https://static.s123-cdn-static.com/uploads/4484609/normal_5fdeebfe2f435.pdf
    • https://cdn-cms.f-static.net/uploads/4488842/normal_601ab779cfe87.pdf
    • http://gatorama.space/sivaxawuvozalakabb6ht.pdf
    • http://reduslim-europa.site/01_chevy_silverado_wiring_diagramp5ppd.pdf
    • https://static.s123-cdn-static.com/uploads/4413987/normal_5fdfb11faa0fe.pdf
    • http://sait-ok.ru/duvutokujotivipowafijirep54uz5.pdf
    • https://cdn-cms.f-static.net/uploads/4373264/normal_60562f0a7d061.pdf
    • https://static.s123-cdn-static.com/uploads/4418786/normal_5fe46cf56fc12.pdf
    • http://twobigs.space/91921388613e4kbc.pdf
    • https://cdn-cms.f-static.net/uploads/4475985/normal_5fd622ae44e6c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zuniverijesud/sodastream_fizzi_review.pdf
    • https://s3.amazonaws.com/feliso/computer_programming_for_beginners_nathan_clark.pdf
    • https://uploads.strikinglycdn.com/files/b563d33b-65ba-46fe-859b-0a8336c48915/dorizufimuvemoboli.pdf
    • https://s3.amazonaws.com/memobofilenabon/faxejub.pdf
    • https://4a5660cc-52a2-48ff-9acb-4b4f1704cb6e.filesusr.com/ugd/81868d_de83b6dc7dc14c47860c007587e57c02.pdf?index=true
    • https://s3.amazonaws.com/niporofez/list_functions_of_the_operating_system.pdf
    • https://4b67404f-136a-46a0-9cf3-151f2d38faab.filesusr.com/ugd/241fd5_f23b6d4a7c124d94b160539291f65060.pdf?index=true
    • https://uploads.strikinglycdn.com/files/727cb36d-fdfc-46d8-86f3-e41618ba673c/92648238988.pdf
    • https://8c330184-3457-40de-b162-e34763a77ed1.filesusr.com/ugd/0aae61_6c22bed8af904ceabd77ad2d439f6d13.pdf?index=true
    • https://ab737b70-891a-4a1f-8db9-ee548211cb31.filesusr.com/ugd/ce14f3_533c9fa9b05a4003ae27dd939cd688c0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7ac38e94-8098-4cb3-ace6-fc8f4cf936f6/naziru.pdf
    • https://s3.amazonaws.com/sigobija/gateway_workbook_b1_answers_unit_6.pdf
    • https://uploads.strikinglycdn.com/files/e9c96d48-acd4-4205-8149-980bb7a46c12/82109574543.pdf
    • https://c480cc3d-c044-45b7-a7fa-747782367dcd.filesusr.com/ugd/a26f59_23f2a904faa148969f90c4ebd9173342.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b8a36d78-9c6c-466b-8679-e498c8f28b34/nesokuxowapiguwiza.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ff31.bin
29bbd9c1ab7e2ccfd50093b6836bce05b0c414d560035c289566af11e95e1130		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF31 5816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.