Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d9eb8ba0952127f…

MALICIOUS

PDF

91.4 KB Created: 2021-03-17 21:20:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d1e021f4da05f7ffb97c850c5dab0c2f SHA-1: 339272675ec2d868e1157eea33d7588fa8e7e88f SHA-256: 6d9eb8ba0952127f419eac608f2874d1915af972c7bee00a5c12da31328b74b1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are likely part of a link farm designed to manipulate search engine results. The primary URL, 'https://resalured.ru/award?keyword=breakthrough+thinking+from+inside+the+box+pdf', suggests a lure to a topic that is likely a pretext for phishing or malware distribution. ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6718

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=breakthrough+thinking+from+inside+the+box+pdf
    • https://puluzoxaxidu.weebly.com/uploads/1/3/2/6/132683087/494fd5a2d071.pdf
    • https://bexopugizabon.weebly.com/uploads/1/3/4/0/134042324/fowevaxafare-monexaloroweke.pdf
    • https://cdn-cms.f-static.net/uploads/4373999/normal_603feecb04694.pdf
    • https://fefizilev.weebly.com/uploads/1/3/1/4/131453506/wosumuxetiberofaju.pdf
    • http://zovofuti.mygamesonline.org/32063444868.pdf
    • https://cdn-cms.f-static.net/uploads/4488329/normal_604953153b91a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://xiwexuxe.atwebpages.com/benin_art.pdf
    • http://xutenujute.myartsonline.com/2007_jeep_grand_cherokee_hard_start_when_hot.pdf
    • https://uploads.strikinglycdn.com/files/cc46a0ef-3afe-425f-a716-c9e25ade9bc6/is_adobe_photoshop_elements_2020_a_subscription.pdf
    • https://uploads.strikinglycdn.com/files/467b8e1b-af40-4318-b5aa-8e16752111dc/lubem.pdf
    • https://uploads.strikinglycdn.com/files/6ab95679-e841-402c-a086-cda7f44c725c/19204017487.pdf
    • http://gagolabirej.atwebpages.com/duvedilimonu.pdf
    • https://uploads.strikinglycdn.com/files/c4943ab0-10b6-42c5-9d82-4070a850d8c5/famous_jack_welch_quotes.pdf
    • https://69868269-04aa-4a0d-8379-1371762fd556.filesusr.com/ugd/d8beff_dee43df4c98840c8a0cf76b199d9831a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7494ccea-a9e9-4ab4-b0b2-0d4f5002f11c/1646019687.pdf
    • https://uploads.strikinglycdn.com/files/6c3118c7-cdb7-46ef-8fb5-2205794e189c/html_css_website_design_tutorial.pdf
    • https://uploads.strikinglycdn.com/files/9fa4131f-93f2-4817-a064-946dbf85985f/32460730442.pdf
    • http://geforagegi.atwebpages.com/nuance_power_at_least_one_signature_requires_validating.pdf
    • https://uploads.strikinglycdn.com/files/b3857777-bc7c-47c8-98b3-6d07f4639040/venevusijeb.pdf
    • https://4bf641bf-117a-4913-931f-55e49063997f.filesusr.com/ugd/5befcb_958874f101bc48b8a977b3898f7d1c47.pdf?index=true
    • http://dejavu.sourceforge.net
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off000165f1.bin
f3c535fe503e96123879d94080567d4ab4a5f8579eea7e20e509c2fe7fcbdab2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x165F1 3223 bytes
font_00_sfnt_off00012c7e.bin
be8c592d82220e98bb0cd4ff921e4343d038e3203f1171c882bbdeaff778384a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C7E 5624 bytes
font_01_sfnt_off00013f75.bin
ef2dec13ffce446231b243cac87bb49c8057fc0e1e80694c96867cf2b210f19e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F75 11416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.