Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d812743542b5dbf…

MALICIOUS

PDF

82.6 KB Created: 2021-05-23 08:51:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1e25f7e291a6048eaf7c052033ce37ac SHA-1: a81c9fcce72886b72ef33e200049c0700fd10690 SHA-256: 7d812743542b5dbf3a0e8cd15af4acb04ac753c73f8e69ba30b6ca84d52f3319
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing for a PDF SEO link farm, indicating a large number of external links. One of these links, https://nipisod.ru/strik?utm_term=wfg+financial+needs+analysis+pdf, is flagged as suspicious. ClamAV also detected the file as Pdf.Phishing.Trojan, further supporting a malicious classification. The document body, though heavily obfuscated, contains references to 'Wfg financial needs analysis pdf', suggesting a lure for users seeking financial information.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8041

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=wfg+financial+needs+analysis+pdf
    • https://zopiwaseka.weebly.com/uploads/1/3/0/9/130969839/2380355.pdf
    • https://cdn-cms.f-static.net/uploads/4486521/normal_6014cee4bd76f.pdf
    • https://cdn-cms.f-static.net/uploads/4416659/normal_600c39f4ab1c8.pdf
    • https://bamegipizof.weebly.com/uploads/1/3/4/6/134647446/kodaresanuzoz_pifonuda.pdf
    • https://static.s123-cdn-static.com/uploads/4415929/normal_5fe0bb8b1f2e5.pdf
    • https://xumizobizuzu.weebly.com/uploads/1/3/4/6/134688834/virabiwape_bomutub_wutosiboz.pdf
    • https://kivomulugan.weebly.com/uploads/1/3/2/6/132695939/vefotapise.pdf
    • https://mokowevabib.weebly.com/uploads/1/3/0/7/130739664/7540749.pdf
    • https://cdn-cms.f-static.net/uploads/4496151/normal_606cfbb45f065.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/dc50f76d-5098-4ba6-94c5-dacc6dd682e5/husqvarna_yth20k46_drive_belt_installation.pdf
    • https://uploads.strikinglycdn.com/files/616bdb7f-e1f7-402e-9bcf-659713ade5a6/california_residential_lease_agreement_doc.pdf
    • https://uploads.strikinglycdn.com/files/043342d8-dced-4f53-8e9f-845229893efe/bubenizofekigujuxatig.pdf
    • https://s3.amazonaws.com/tosego/will_there_be_a_season_3_for_big_little_lies.pdf
    • https://s3.amazonaws.com/kudefem/homographs_worksheets_with_answers_for_grade_3.pdf
    • https://uploads.strikinglycdn.com/files/ddc77e8f-2f1b-478e-a47a-d90e06f28580/97965674428.pdf
    • https://uploads.strikinglycdn.com/files/a1f25e85-7c85-47f6-a148-7157fa6cbc34/ap_language_and_composition_practice_exam.pdf
    • https://s3.amazonaws.com/poresi/el_nuevo_juicio_de_amparo_indirecto.pdf
    • https://s3.amazonaws.com/zodawanuror/vietnam_fmcg_market_report.pdf
    • https://uploads.strikinglycdn.com/files/2010b398-4851-4cdc-a5a3-6890e9f454c2/how_to_use_the_deluxe_ez_bow_maker.pdf
    • https://uploads.strikinglycdn.com/files/4b1138f9-bd0c-4133-8903-6d0def798eb6/how_to_cure_chicken_pox_scars_fast.pdf
    • https://uploads.strikinglycdn.com/files/fa10f7b8-a47d-4fde-bcd9-0199911a03dc/blackburn_trakstand_magnetic_trainer.pdf
    • https://uploads.strikinglycdn.com/files/8b753e84-1244-4370-96cc-2fa153bdcf72/mireluzutimesi.pdf
    • https://uploads.strikinglycdn.com/files/50e6847f-a3e8-4b05-93e4-c8e6cd87e4f4/65968320958.pdf
    • https://s3.amazonaws.com/mozedijiz/netijepojikojobozozanowup.pdf
    • https://uploads.strikinglycdn.com/files/2ae83e0e-aa3c-48bf-b9b8-f290166f5d15/69451546028.pdf
    • https://uploads.strikinglycdn.com/files/38109fff-f9cb-4ee6-b97d-3e93529f7dda/kegavowifozosuwunapaba.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001217c.bin
d706d5fd049bcb88a354b2de9086622f3e0566cd1d0f9d88a1fbe6fe3decbcb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1217C 5340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.