Malicious PDF — malware analysis report

Static analysis result for SHA-256 787caf94e0726388…

MALICIOUS

PDF

69.3 KB Created: 2021-02-26 05:54:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4950db8908e4343eee131c302009b6d3 SHA-1: 5105bae8ffca8d929cbdfb9f28bf355b41ffd541 SHA-256: 787caf94e0726388274911fc59cb6eaf9cc20e4ad63611efe29f1617502415ef
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, characteristic of a link farm, with one URL directly referencing a search query. This suggests a phishing or SEO poisoning tactic to direct users to malicious content. The ClamAV detection and ML classifier further indicate malicious intent, likely to deliver a second-stage payload via the linked URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9929

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/award?keyword=what+are+the+symptoms+of+a+bad+injector+pump
    • https://lefiletigej.weebly.com/uploads/1/3/4/5/134597596/delubob.pdf
    • https://cdn-cms.f-static.net/uploads/4445125/normal_6029525a41446.pdf
    • http://fb-ig-copyright.com/gallistel_ellis_sample_report6ycss.pdf
    • http://mishgen.com/kannada_love_feeling_songs_pleasegdy7h.pdf
    • https://zanefasijim.weebly.com/uploads/1/3/5/9/135965469/5043076.pdf
    • https://cdn-cms.f-static.net/uploads/4484365/normal_5fd6463b031fd.pdf
    • https://bipufufutugudov.weebly.com/uploads/1/3/1/1/131164095/3983803.pdf
    • https://static.s123-cdn-static.com/uploads/4414502/normal_5feb72ffe716b.pdf
    • https://cdn-cms.f-static.net/uploads/4460963/normal_6033faa4cdf26.pdf
    • https://cdn-cms.f-static.net/uploads/4368751/normal_6036ae30321fb.pdf
    • https://cdn-cms.f-static.net/uploads/4453100/normal_60275540abf74.pdf
    • https://cdn-cms.f-static.net/uploads/4388065/normal_6036c1f6104c3.pdf
    • https://cdn-cms.f-static.net/uploads/4409118/normal_60159aa3ea739.pdf
    • https://cdn-cms.f-static.net/uploads/4379742/normal_6027bad83887c.pdf
    • http://startbastar.online/acellus_easy_sign_inergsw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/rubidokezive/dell_optiplex_790_sff_desktop_pc_-_intel_core_i7-2600.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e09b.bin
6fd6dba8320b003027078b96a3d43a9064370d452022ad99d9f5b9e7737b2c7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE09B 5696 bytes
font_01_sfnt_off0000f3e3.bin
32605ecc57b9f15491b8d37c58e5bad4985aaa7a861fe58261e1da03be4b13ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3E3 9696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.