PDF malware analysis — malicious · 855462963255e54f

MALICIOUS

PDF

62.5 KB Created: 2021-06-02 21:01:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 544baf35b961bc5952b32f8036cd5976 SHA-1: ede59259e779c4d2a2bc3429644e90ea30050381 SHA-256: 855462963255e54fbcd1522d86ab6bb930c2273038d27973c914d545616d22fd

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing or malware distribution campaign, as indicated by the 'PDF_SEO_LINK_FARM' and 'ML_NYX_PDF_MALICIOUS' heuristics. The presence of numerous external links, including the primary URL 'https://allytemp.ru/pbw?utm_term=harcourt+math+practice+workbook+grade+2+pdf', suggests an attempt to redirect users to malicious sites. The ClamAV detection further supports its malicious classification.

Machine Learning

Nyx PDF Classifier malicious score 0.8464

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://allytemp.ru/pbw?utm_term=harcourt+math+practice+workbook+grade+2+pdf
- https://cdn-cms.f-static.net/uploads/4405419/normal_6069301fb8b20.pdf
- https://jasenumuruj.weebly.com/uploads/1/3/5/3/135309327/3192426.pdf
- https://vusiwofadenu.weebly.com/uploads/1/3/4/2/134265349/cf1d29c1041.pdf
- https://jupaxegusuwe.weebly.com/uploads/1/3/5/3/135389123/8c00378b8e3.pdf
- https://sedaduvu.weebly.com/uploads/1/3/4/5/134598683/1167588.pdf
- https://dotimozenut.weebly.com/uploads/1/3/5/4/135400211/dipisenoduba.pdf
- https://static.s123-cdn-static.com/uploads/4369519/normal_5fec7b7635f05.pdf
- https://nevozijefase.weebly.com/uploads/1/3/4/7/134748823/tidisufunux.pdf
- https://nulokoset.weebly.com/uploads/1/3/4/4/134447361/panabiziw.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/992508d6-be4f-4789-9ea9-ae71a44fd188/21949097693.pdf
- https://uploads.strikinglycdn.com/files/ebdf51a9-9f62-44fe-928f-260fc1754b9c/stephen_king_misery_book_cover.pdf
- https://uploads.strikinglycdn.com/files/42559711-4897-4754-830c-4d2c0e74ae83/how_do_i_work_the_12_steps_of_aa.pdf
- http://siwuromo.pbworks.com/w/file/fetch/144425460/ejercicios_de_razonamiento_matematico_resueltos_para_bachillerato.pdf
- https://uploads.strikinglycdn.com/files/9e970446-2b59-4f86-b686-cedbea5e5758/safety_data_sheet_example_canada.pdf
- https://uploads.strikinglycdn.com/files/35b6b96d-b874-4c61-a822-f54f5cbd8df0/geometra_y_trigonometra_pearson.pdf
- https://uploads.strikinglycdn.com/files/52a4ec37-70a0-4d1f-849c-783a03f23ea6/fnaf_world_simulator_android_apk_download_full_version.pdf
- http://kolasotosexu.pbworks.com/w/file/fetch/144424461/bhakti_gana_dj_remix_song_video_2018.pdf
- https://uploads.strikinglycdn.com/files/83705eff-85a4-4feb-8897-502e17c6f84f/alcatel_one_touch_idol_3_review.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d6bc.bin` `5ab5e3b87011abe1f69360a615fa691d12f0d4869623598d16b6cdc192b2648a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD6BC	5524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.