Malicious PDF — malware analysis report

Static analysis result for SHA-256 7cab9fa71790b00a…

MALICIOUS

PDF

69.5 KB Created: 2021-02-24 18:21:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 80fc3faa8fa29363be511c0591caf397 SHA-1: 27a476e86e2343ed3c88efbc7b09325c65b3317f SHA-256: 7cab9fa71790b00aae171662971ebd4fd68ec9c3cbbce482addfc1f1f68a6d2c
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, with one specifically pointing to 'jacksth.ru' and disguised as a legal query, suggesting a phishing or credential harvesting attempt. The PDF's structure and the presence of many links on disposable hosting further support its role as a lure for malicious activities.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9679

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=what+constitutes+a+breach+of+trust+and+confidence
    • http://lojasamericanasbr.com/teamviewer_for_mac_projwh5y.pdf
    • http://kenugizi.getenjoyment.net/el_coronel_no_tiene_quien_le_escriba_personajes_wikipedia.pdf
    • http://jiwapadenejeza.getenjoyment.net/64821920626.pdf
    • http://grigolia-studio.ru/wagidt9xh3.pdf
    • http://wejuzofibab.medianewsonline.com/warof.pdf
    • http://xufededubumavif.scienceontheweb.net/como_se_hace_un_manual_de_usuario.pdf
    • http://lelekelosutov.getenjoyment.net/tekezufejegiridojo.pdf
    • http://zelopaqq.xyz/audited_balance_sheet_2019_due_dateg74zx.pdf
    • http://adv-workshop.site/jaxirakuroriwed9oldn.pdf
    • http://roxelejabojafe.scienceontheweb.net/how_to_change_installer_code_dsc_impassa.pdf
    • http://tumbochka.space/sokoredavenenezabofa2j6ei.pdf
    • http://creamwalls.online/the_beautiful_and_damned_quotes_g_eazykf5iv.pdf
    • http://jaralet.getenjoyment.net/62930331067.pdf
    • http://power-guard.shop/how_to_use_log_base_on_ti-89_titaniumikrk2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://liraperuwuw.atwebpages.com/g-shock_gravitymaster_ga_1000-4a.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000100ad.bin
c24f49e84d801feb0d2f410d8ef15cc5f050bdd8731db65c25c2a9bdfe30d5c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100AD 5232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.