Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d2cf30493c174a3…

MALICIOUS

PDF

194.0 KB Created: 2018-04-25 18:11:49 +03:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2021-06-17
MD5: 4797b6c8b5dff998ef2d7a2e92eba99b SHA-1: aff4d483e7de3d909a4997ba3f9530b0a6ec68fb SHA-256: 7d2cf30493c174a35f15b3a3c2db1d11416a1f534145eeaaae8617c07dce4cae
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an external URI pointing to 'renimba.info', which is flagged as a link farm on disposable hosting. This suggests the document's primary purpose is to redirect users to potentially malicious or spam-related content. No scripts were extracted, but the presence of external links and the ML classification indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9439

Heuristics 3

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://renimba.info/wp1?keyword=%D1%80%D0%B5%D1%88%D0%B5%D0%B1%D0%BD%D0%B8%D0%BA+%D0%BF%D0%BE+%D1%80%D1%83%D1%81%D1%81%D0%BA%D0%BE%D0%BC%D1%83+%D1%8F%D0%B7%D1%8B%D0%BA%D1%83+6+%D0%BA%D0%BB%D0%B0%D1%81%D1%81+1+%D1%87%D0%B0%D1%81%D1%82%D1%8C+%D1%80%D1%8B%D0%B1%D1%87%D0%B5%D0%BD%D0%BA%D0%BE%D0%B2%D0%B0 PDF link annotation
    • https://rimervikab1977.files.wordpress.com/2018/04/xogikotages-reshebnik-po-angliiskomu-iazyku-workbook-5-klass-vereshchagina-afanaseva-kodepoliremesul.pdfIn PDF document text
    • https://dusmorrcontra1986.files.wordpress.com/2018/04/xuxila-debora-uelsh-biografiia-xesif.pdfIn PDF document text
    • https://img1.liveinternet.ru/images/attach/d/0//5907/5907609_zukuwoukrmova10klaspliushchgdzvprava365rezaker.pdfIn PDF document text
    • https://krisaradre1989.files.wordpress.com/2018/04/vosadif-luchshie-prikhozhie-v-klassicheskom-stile-foto-rilux.pdfIn PDF document text
    • https://inernutbang1982.files.wordpress.com/2018/04/mibipokevevu-demoversiia-ege-2016-2015-profilnyi-uroven-sekugexo.pdfIn PDF document text
    • https://rimervikab1977.files.wordpress.com/2018/04/binawi-kak-napisat-spavn-v-minecraft-po-angliiskomu-gadalude.pdfIn PDF document text
    • https://img0.liveinternet.ru/images/attach/d/0//5910/5910324_zolereshebnikriabushko2chast5variantmunag.pdfIn PDF document text
    • https://boymemtoma1970.files.wordpress.com/2018/04/gifusan-gdz-pukhta-angliiskii-iazyk-6-klass-fodadarapomaziv.pdfIn PDF document text
    • https://inernutbang1982.files.wordpress.com/2018/04/xokisuvorut-popadanets-sssr-vo-vremena-zastoia-kniga-tusanax.pdfIn PDF document text
    • https://fettimicut1978.files.wordpress.com/2018/04/jajolavobanovod-reziume-menedzhera-kommercheskogo-otdela-obrazets-dokofilivon.pdfIn PDF document text
    • https://presacbrigwic1980.files.wordpress.com/2018/04/wumowaj-spravochnik-domashnikh-telefonov-kirov-kirovskaia-oblast-kumet.pdfIn PDF document text
    • https://img0.liveinternet.ru/images/attach/d/0//5908/5908475_tumgdzonlainpomatematike3klassnota.pdfIn PDF document text
    • https://digimvaze1975.files.wordpress.com/2018/04/leturowajiparum-trafik-22-barnaul-skachat-besplatno-na-kompiuter-patuvimalo.pdfIn PDF document text
    • https://spattamati1988.files.wordpress.com/2018/04/sefobijo-gdz-za-10-klass-po-russkomu-iazyku-vlasenko-nixebe.pdfIn PDF document text
    • https://vartoiprecfil1987.files.wordpress.com/2018/04/gaxisozurimus-gdz-po-algebre-8-klass-rabochaia-tetrad-1-chast-zubareva-muwovurova.pdfIn PDF document text
    • https://rimervikab1977.files.wordpress.com/2018/04/xogikotages-reshebnik-po-angliiskomu-iazyku-workbook-5-klass-vereshchagina-afanaseva-In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000a4af.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA4AF 1485561 bytes
SHA-256: 1718db8b7c6a44712dc1b3acee434281abf7527ebf6ea299260c2277eb5af585
font_00_sfnt_off0002a7fb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2A7FB 27572 bytes
SHA-256: 047667ec3b58339434105a65624a809978e7ef11917f1a1488907bb6c69d9900
font_01_sfnt_off0002e665.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2E665 15808 bytes
SHA-256: c72f890be85ff27f81a431375f644466e268e1ea3f283160cb44391ad651bafd

Open this report in the interactive analyzer, or submit your own file for analysis.