Malicious PDF — malware analysis report

Static analysis result for SHA-256 76b8ef6444493bc2…

MALICIOUS

PDF

73.6 KB Created: 2021-03-27 12:28:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d42d417c47d69462a6b5f23c6082209f SHA-1: ee62e55e9953d38750fd8fb391d3d30b644fc605 SHA-256: 76b8ef6444493bc25fd2035925fe3fdad0a09f4169396a6712a59299cb83fb18
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic firings point to the presence of a link farm within the PDF, specifically targeting external URIs like 'https://bologen.ru/award?keyword=ca+real+id+checklist+pdf'. This suggests the document's primary purpose is to redirect users to potentially harmful websites, possibly for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8120

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=ca+real+id+checklist+pdf
    • https://kewegiru.weebly.com/uploads/1/3/1/4/131438086/3107c3.pdf
    • https://pupalizote.weebly.com/uploads/1/3/4/7/134716330/7305793.pdf
    • https://cdn.sqhk.co/libobivole/j8Xjbgj/reincarcare_cartela_telekom_roaming.pdf
    • https://denosofebulapan.weebly.com/uploads/1/3/5/3/135347567/durutopiwiban-nitugusined-boxolokatunol-wonepeka.pdf
    • https://cdn.sqhk.co/dagozuwemep/cVcxQCU/kart_stars_apkpure.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/wuzalugiseto/xijil.pdf
    • https://s3.amazonaws.com/ruzumeb/optical_fiber_communication_p_chakrabarti_download.pdf
    • https://s3.amazonaws.com/dufekifaral/wedding_planner_website_template_bootstrap.pdf
    • https://58f604bd-1fd8-4cfe-af9b-f15e67d030d5.filesusr.com/ugd/9a7439_c23ffb3fbbd24ad5b7ab998f4ea8ef1a.pdf?index=true
    • https://a86a6b26-b473-4b55-b9aa-7628a2bff077.filesusr.com/ugd/4f270c_318c70dc56da4fd58875f056def784e0.pdf?index=true
    • https://6e229dea-1f83-4be8-8cd3-388eabd4f5e3.filesusr.com/ugd/1cfe37_9606533172c9425aa289f8a65f9278c2.pdf?index=true
    • https://s3.amazonaws.com/bogeguva/street_fighter_para_android_1.pdf
    • https://61df3396-90b5-4b69-a3ae-475c9da6ebc5.filesusr.com/ugd/516574_3516a04d10074c23ae614a73d9d15f24.pdf?index=true
    • https://40785fcd-1e5e-4316-9306-5db1d5795eae.filesusr.com/ugd/2f07a1_9835b4438cff4b838874f25e20dd7b0d.pdf?index=true
    • https://s3.amazonaws.com/bodajaku/xibipixamafaruxurem.pdf
    • https://1ec9b6e7-17eb-4e1e-a994-ba5ce4cbdb7c.filesusr.com/ugd/d4a9d6_c6ed286de0854504b1428356fa5dafc3.pdf?index=true
    • https://4b4b92a8-4ac5-4030-97d5-af0917f8c077.filesusr.com/ugd/0251f0_23528a525d5744258d0e3c2fb10ae432.pdf?index=true
    • https://507f79ed-2408-4027-b124-45ed49bded7d.filesusr.com/ugd/2de61b_c9913882a335468d8c6ea49b874c4c80.pdf?index=true
    • https://8767aa75-4bd5-48c0-94ca-24e983238001.filesusr.com/ugd/debdc1_0949ffcbc3ff46e9bfea868ae65e186b.pdf?index=true
    • https://s3.amazonaws.com/wixanarer/78925028472.pdf
    • https://s3.amazonaws.com/fedojigudaj/how_to_build_a_budget_in_quicken.pdf
    • https://s3.amazonaws.com/xovekolamoxe/is_black_and_decker_a_good_coffee_maker.pdf
    • https://09d56968-2ae9-412d-ad86-e67dc63a1c23.filesusr.com/ugd/e8b91f_43214aa60473405fb52815e47311ca7d.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8f0.bin
b92ff1c4f40ad3cd01ec911fb0ac519c0a7c0d38eb60a64ba5f3edb259269f5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8F0 5212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.