Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d6e841a2de01cee…

MALICIOUS

PDF

55.8 KB Created: 2021-03-28 16:08:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f9a2e4d9870bc20fc24bd3608e842e20 SHA-1: 7b9e979598c38856a62424c180007f400eb79739 SHA-256: 7d6e841a2de01ceecab91b5756d449b92fa9a5f70f2d01279741b2f50683b8d5
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for link farms or phishing campaigns. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external PDF links, suggesting an attempt to manipulate search engine results or distribute malicious content. The presence of URLs like 'https://baarspo.ru/award?keyword=oxford+maths+book+for+class+4+pdf' further supports a phishing or malware distribution vector, disguised as a book resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7781

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/award?keyword=oxford+maths+book+for+class+4+pdf
    • http://fagumawegoleleb.mypressonline.com/artificial_intelligence_and_machine_learning_in_industry.pdf
    • https://vuvumapidikam.weebly.com/uploads/1/3/4/6/134668868/7049856.pdf
    • https://mudujasi.weebly.com/uploads/1/3/5/3/135387492/dojojemet_powukelekipedad_golasubukate.pdf
    • http://lazokiwumemo.mygamesonline.org/ralixewo.pdf
    • http://myluckywin.site/wipatovakezeydp3.pdf
    • http://powerpoint4you.ru/lomodebozixatofowepea0mfq.pdf
    • http://winoraama.site/55667363417874w6.pdf
    • http://bagerisevi.scienceontheweb.net/boludopefifebijuna.pdf
    • http://startbastar.online/arikil_nee_undayirunnenkil_malayalam_song_freeszmop.pdf
    • http://remastacer.com/jifodifaregamakebasuxijlj5bj.pdf
    • http://atelier-spb.com/grade_2_maths_worksheets_south_africacec63.pdf
    • http://cadenalia.com/mapamundi_politico_con_nombress7bs8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/rupatojuko/29092174402.pdf
    • https://s3.amazonaws.com/vavapekadoliti/njals_saga_summary.pdf
    • https://s3.amazonaws.com/zewimu/how_to_adjust_chimes_on_grandfather_clock.pdf
    • https://s3.amazonaws.com/resixexi/47129522191.pdf
    • https://s3.amazonaws.com/fomudebipefasu/26438199702.pdf
    • https://s3.amazonaws.com/garorowa/maximax.pdf
    • https://s3.amazonaws.com/xozeb/iso_27001_stage_1_audit_report.pdf
    • https://s3.amazonaws.com/xajowu/excel_vba_code_book_download.pdf
    • https://s3.amazonaws.com/sakaburepagase/14094501765.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf12.bin
3f04a32bef63c456d0fe283c09f55258d4b5258bc1cbd39d5d8e04f4db252063		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF12 5784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.