PDF malware analysis — malicious · 86c85219c42fb506

MALICIOUS

PDF

66.8 KB Created: 2021-03-04 16:41:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 3504f39ccb01b3a32a91a5eb4fed9707 SHA-1: 1d8adfb2eb647bff93517c1e6245ad64de957e57 SHA-256: 86c85219c42fb506a1f7be80efaa0dc652eebc67ccd456dfd7adfcb10d97a94a

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to PDF files hosted on link farms, indicating a potential phishing or malware distribution scheme. The ClamAV detection and ML classifier further support its malicious nature. The embedded URL `https://zajinet.ru/strik?utm_term=math+book+8th+grade+pdf` is the primary indicator of the lure, attempting to disguise the malicious intent as a math book.

Machine Learning

Nyx PDF Classifier malicious score 0.8536

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://zajinet.ru/strik?utm_term=math+book+8th+grade+pdf
- https://jagefebasedi.weebly.com/uploads/1/3/5/9/135993187/0752f401319.pdf
- https://relotevifinedu.weebly.com/uploads/1/3/2/6/132683264/3580242.pdf
- https://zapidowezagija.weebly.com/uploads/1/3/4/0/134041255/vowufilogevisu.pdf
- https://kuvixirizu.weebly.com/uploads/1/3/0/7/130739951/duguruxenaxuleveg.pdf
- https://nojabepeteguki.weebly.com/uploads/1/3/4/6/134669956/1462038.pdf
- https://gobodukigibab.weebly.com/uploads/1/3/1/8/131856162/9441412.pdf
- https://static.s123-cdn-static.com/uploads/4382784/normal_6009a1f8d0175.pdf
- https://static.s123-cdn-static.com/uploads/4486365/normal_5fe1ff77c5d1e.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://b3079848-b07e-4d89-9244-05dfa5dd91fe.filesusr.com/ugd/3ab5ed_b1ad99c96bea497e9512e2a37a13fe3e.pdf?index=true
- https://uploads.strikinglycdn.com/files/e5d86726-3872-4cde-aec7-21863afae539/employees_only_beyond_this_point_traduccion.pdf
- https://uploads.strikinglycdn.com/files/25ee199d-1c1a-4cbc-b947-a8dfef68cafe/r_basics_for_beginners_free_download.pdf
- https://s3.amazonaws.com/wukevirenesu/14044216872.pdf
- https://uploads.strikinglycdn.com/files/7a93627e-90f1-4362-8581-2a35eae2209a/begexewaxubi.pdf
- https://s3.amazonaws.com/visagogijulep/all_organisms_living_in_a_particular_ecosystem_are_collectively_known_as_an.pdf
- https://s3.amazonaws.com/tibitexil/baixar_jogos_xbox_360_formato_iso.pdf
- https://uploads.strikinglycdn.com/files/be20e635-4af5-4bc7-b8da-e26be52a36c9/xozilapajatutipiwajoreje.pdf
- https://6d4a8fb0-9a8a-4850-8aa1-2b5706121c9a.filesusr.com/ugd/ff2e72_4052ddc3230749e9b4b064a23f5a48a5.pdf?index=true
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d959.bin` `0d1579168ee79adeff307255fd755974dcfd8b0ac06f2757c7a0af6fc7ba5622`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD959	5132 bytes
`font_01_sfnt_off0000eade.bin` `e175b94573277342d715d258286ff7b00785f83f51d69d31e96320b734075d75`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEADE	10900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.