Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e3c14351ab483de…

MALICIOUS

PDF

68.0 KB Created: 2021-06-05 17:57:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68396e791ac2fee288ccf4083754c017 SHA-1: 8028ee82a266c37b05a2d4777cd4e390e53a45e4 SHA-256: 7e3c14351ab483de22ae4454917c83af4b7c648934d6caceccd5426d0670ecda
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a significant number pointing to potentially malicious or link-farmed content, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The primary URL, 'https://nomylo.ru/pbw?utm_term=lesson+7.1+skills+practice+answers+key+geometry', suggests a phishing or scam attempt by masquerading as educational material. While no scripts were explicitly extracted, the presence of embedded URLs and the ML classifier's high confidence score support a malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7936

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/pbw?utm_term=lesson+7.1+skills+practice+answers+key+geometry
    • https://senuwisaf.weebly.com/uploads/1/3/4/0/134018119/8725809.pdf
    • https://jumomemokipus.weebly.com/uploads/1/3/0/8/130874307/padadigebup.pdf
    • https://gakazores.weebly.com/uploads/1/3/1/8/131856584/a01d3b0.pdf
    • https://lafupoboj.weebly.com/uploads/1/3/1/8/131857117/wekire.pdf
    • https://cdn-cms.f-static.net/uploads/4470828/normal_602056c2bc8ec.pdf
    • https://ladozazewuse.weebly.com/uploads/1/3/4/0/134095850/7375947.pdf
    • https://turabebusaweni.weebly.com/uploads/1/3/1/4/131438207/jifanoxaferimawo.pdf
    • https://jupelokuxaw.weebly.com/uploads/1/3/4/6/134601506/c93efca.pdf
    • https://static.s123-cdn-static.com/uploads/4455642/normal_5fe3684d9adcf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/93161f31-a810-4ecf-b237-8562392eaf72/maximum_ride_manga_vol_9.pdf
    • https://uploads.strikinglycdn.com/files/b0d12ff7-8f46-49e9-af34-590c5ada4f01/casio_protrek_prw_3000_titanium.pdf
    • https://uploads.strikinglycdn.com/files/0c17dd98-3191-48cc-8f5e-01c4dcab01ad/tigewudutigozu.pdf
    • https://uploads.strikinglycdn.com/files/03dff7de-e1b5-44b2-a07b-c84cace2ef43/firimikasiwagonidal.pdf
    • https://uploads.strikinglycdn.com/files/86bb733b-c96b-482d-87ea-10bf41f9c979/rilubesemuxilatuvuvifudo.pdf
    • https://uploads.strikinglycdn.com/files/121918d2-0b60-4b1d-af93-e8fbe104d34f/nalopugogapojidusore.pdf
    • https://uploads.strikinglycdn.com/files/969dbb64-8fa7-4b59-8b1f-90d73ead8395/nikon_prostaff_rimfire_3-9x40_manual.pdf
    • https://uploads.strikinglycdn.com/files/b97d34ce-c912-4af0-99e2-7557dbb61e53/62051622304.pdf
    • https://uploads.strikinglycdn.com/files/2c37ee64-078b-42dc-a496-417b8a82cee9/command_prompt_commands_windows_10_download.pdf
    • https://uploads.strikinglycdn.com/files/983178ae-d7dc-4578-9048-1493fcbd195a/viposewoniporinaj.pdf
    • https://uploads.strikinglycdn.com/files/0f70297e-adc6-4ce3-8b83-62edf625b89c/97184442355.pdf
    • https://uploads.strikinglycdn.com/files/56fe9f46-acbe-44d7-961c-0bfb220bd055/62092430989.pdf
    • https://uploads.strikinglycdn.com/files/cb02e37f-de67-4a26-9bcc-bb57f1807d13/what_do_the_sirens_offer_odysseus.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef9d.bin
e439ae345cf7fd720eccd6faed48c943c701ed87725a182368bd1161b7a12dab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF9D 5616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.