Malicious PDF — malware analysis report

Static analysis result for SHA-256 762ea20f5a0f546c…

MALICIOUS

PDF

67.6 KB Created: 2021-04-06 10:55:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: acca44766f0f9bc4c7861c356eb20c0e SHA-1: 7ec8f7f79a30e0a4eb3096f34d0d319b38fcc43d SHA-256: 762ea20f5a0f546cf20507a434d42f6b4f6d3f3b6f31a5e28e17b3dff96f8faa
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous external links, with at least two pointing to potentially malicious domains. The document body, though heavily obfuscated, appears to be a lure related to 'how to factory reset roomba 880', suggesting a phishing or scam attempt to drive users to these external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9417

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/aws?utm_term=how+to+factory+reset+roomba+880
    • http://jofifuneku.medianewsonline.com/livro_segurana_e_auditoria_em_sistemas_de_informao.pdf
    • https://cdn.sqhk.co/vijukifezu/f2Zhbq1/33418353409.pdf
    • https://cdn.sqhk.co/pasepizut/XELSZhT/43239660450.pdf
    • http://fegivate.medianewsonline.com/brche_addieren_bungen.pdf
    • https://cdn.sqhk.co/nitagalut/WigicTB/epic_astro_story_apk_mod.pdf
    • https://cdn.sqhk.co/wezupobuwab/wihjdii/gt_car_racing_stunts.pdf
    • https://cdn.sqhk.co/viwitukaz/8bFjh8X/ijazat_old_movie_songs_pagalworld.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://seroroxunabolu.onlinewebshop.net/48751841670.pdf
    • https://s3.amazonaws.com/gotenukevepunin/fafonofezazamafimijo.pdf
    • http://nenilezum.epizy.com/how_to_see_comments_in_google_docs.pdf
    • https://s3.amazonaws.com/xapijifas/whatsapp_for_nokia_206_keypad.pdf
    • https://59b7e61f-9850-45ee-add2-e9646db267e4.filesusr.com/ugd/5b9365_f6a2664b612941c5b621cefe57727dcf.pdf?index=true
    • https://s3.amazonaws.com/wuniku/bolanle_ft_zlatan_video.pdf
    • https://s3.amazonaws.com/zalomi/chameli_movie_songs_pagalworld.pdf
    • http://nolivajujereram.rf.gd/the_firm_book_movie_cast.pdf
    • https://s3.amazonaws.com/gonima/correcting_sentences_worksheets_grade_3.pdf
    • http://pifazudiso.rf.gd/how_can_i_learn_to_use_procreate.pdf
    • https://s3.amazonaws.com/dovulavavo/how_to_make_a_log_splitter_with_a_hydraulic_jack.pdf
    • https://s3.amazonaws.com/kakekojezutok/17556560226.pdf
    • http://pemukusa.epizy.com/migosedalikerejego.pdf
    • https://s3.amazonaws.com/zatazewoz/kedexinatanojabawexoxem.pdf
    • https://s3.amazonaws.com/tobaziw/reloxepedolerutidex.pdf
    • https://76c87692-cca9-4651-be8e-de6412dad411.filesusr.com/ugd/fdad67_43374b695a354a5f9dd0b54d1a951a15.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f872.bin
f2c3c62179f651db2ff68505dcf7aa06a1c3fa14e6c75f4fb6553f6c31c5b5bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF872 5624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.