Malicious PDF — malware analysis report

Static analysis result for SHA-256 7601ea78d8374e73…

MALICIOUS

PDF

76.4 KB Created: 2021-01-30 04:38:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: 3b1d1ae964de8ec134b276b8ac3667de SHA-1: de5441ff4a247cb3842bbd7ee732b15d72d862a1 SHA-256: 7601ea78d8374e73114eb1fcdb0f1e1ecac1c3c1ec7e4f018c1d421cb5c473a6
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and a machine learning classifier. It contains a large number of external links, many pointing to disposable hosting services, suggesting a link farm or phishing operation. The document body, though heavily corrupted, contains keywords related to 'Anganwadi bharti 2019 mp online form', indicating a lure for job seekers. The presence of PDF_URI and PDF_SEO_LINK_FARM heuristics further supports the malicious intent of redirecting users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9672

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/aws?utm_term=anganwadi+bharti+2019+mp+online+form PDF link annotation
    • https://nikigetevakawu.weebly.com/uploads/1/3/1/4/131413362/5142866.pdfIn PDF document text
    • http://triple-doska3.club/93023856350fo1yk.pdfIn PDF document text
    • http://befelofote.iblogger.org/crear_bibliografia_formato_apa_online.pdfIn PDF document text
    • https://kopigipovivon.weebly.com/uploads/1/3/1/4/131484029/e2e77.pdfIn PDF document text
    • https://berigagagek.weebly.com/uploads/1/3/1/3/131384675/6768226.pdfIn PDF document text
    • http://abzac.me/wowowigirizifozan6fqp.pdfIn PDF document text
    • https://vefoxetewezelir.weebly.com/uploads/1/3/1/4/131483279/771631.pdfIn PDF document text
    • https://vewuwoxefi.weebly.com/uploads/1/3/1/3/131379256/xadafininisipir.pdfIn PDF document text
    • https://nexojavadu.weebly.com/uploads/1/3/0/7/130775828/lofas.pdfIn PDF document text
    • https://ripumoravoramex.weebly.com/uploads/1/3/1/6/131606135/8543141.pdfIn PDF document text
    • https://filavemegu.weebly.com/uploads/1/3/4/8/134883773/vijeja.pdfIn PDF document text
    • https://lovaxases.weebly.com/uploads/1/3/4/6/134685664/xavamipupa.pdfIn PDF document text
    • https://betutemibo.weebly.com/uploads/1/3/1/4/131453998/970180.pdfIn PDF document text
    • https://runewabelew.weebly.com/uploads/1/3/0/8/130813516/keparuvon.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://jimabepur.rf.gd/40730211292.pdfIn PDF document text
    • https://s3.amazonaws.com/regufojalojaza/bseb_10th_result_2019_full_marksheet.pdfIn PDF document text
    • https://s3.amazonaws.com/bevarolimesale/scholarship_form_online_2019_last_date.pdfIn PDF document text
    • http://ramapenutizawa.epizy.com/ll_bean_maine_guide_shirt.pdfIn PDF document text
    • http://dobejevilorizu.epizy.com/gmp_guidelines_annex_15.pdfIn PDF document text
    • https://s3.amazonaws.com/nezanurugega/pumel.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0001174e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1174E 16428 bytes
SHA-256: 4b1ac2c645d74566f4110a9990b8ad7704b238c88b44cb8e1e092f55b2479bfe
font_00_sfnt_off0000dcec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDCEC 5980 bytes
SHA-256: c388aeff1cc78776f259b139cc40ecb49aafd91582c182e23d2bd220fad87661
font_01_sfnt_off0000f133.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF133 11232 bytes
SHA-256: 60621e82447e87206ff96ddad4adb78427e69c392b1b540d9d99c5830198b68c