Malicious PDF — malware analysis report

Static analysis result for SHA-256 84d87ab10b428175…

MALICIOUS

PDF

68.9 KB Created: 2020-02-03 15:35:16 Authoring application: Scribus First seen: 2021-05-22
MD5: 625a717bcb71dd54cf6b25401f07146e SHA-1: 8c03a3f90bedbd958fdd9d6118c443f83ddaa7a1 SHA-256: 84d87ab10b42817542c2a6442d1036857f47c0ee351a903e743b7a12b1b09d3f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a lure related to debt collection, directing the user to a URL that appears to be part of a link farm. The presence of numerous external links and a high ML classifier score indicate malicious intent, likely for phishing or malware distribution. While no scripts were directly extracted, the PDF structure and embedded URLs suggest an attempt to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7401

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?keyword=global+credit+and+collection+corp+chicago+il PDF link annotation
    • https://jakedekokobara.weebly.com/uploads/1/3/1/3/131381480/0cbd7f35736ab.pdfIn PDF document text
    • https://vojumemij.weebly.com/uploads/1/3/4/4/134473557/e07b2f39.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366008/normal_5f87039c51ee8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414486/normal_5fa6c6de7af9b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412394/normal_5f978a648ec21.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403822/normal_5fa26b512facb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4491725/normal_5fa9894292dfa.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366321/normal_5fa5f683a9d60.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/timafatafej/geviluwavizuwimuradum.pdfIn PDF document text
    • https://s3.amazonaws.com/gizonukorad/53402705093.pdfIn PDF document text
    • https://s3.amazonaws.com/jusuberu/41399981707.pdfIn PDF document text
    • https://s3.amazonaws.com/digigitusuduk/25683072750.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d0de.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD0DE 5328 bytes
SHA-256: 8a5b52f03acc123f69cd2f9ba1150d052bf9e663ba387ed3e1545f733e307a00
font_01_sfnt_off0000e2fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE2FD 10616 bytes
SHA-256: b551579374af62b5ff3d5033838c4d604d0954da3a35ba066a40db6dead36e02
font_02_type1_off00010e7f.bin pdf-font-stream PDF embedded font (type1) at offset 0x10E7F 74 bytes
SHA-256: 66e4520597a651f09ad8fe2af9ce002e2735d7ba5ff66d04fd92415068c6750b