Malicious PDF — malware analysis report

Static analysis result for SHA-256 882094d7c0d1e4f0…

MALICIOUS

PDF

63.3 KB Created: 2021-02-23 14:05:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f1bbdbd58cfc61cc24739aca36c1baa8 SHA-1: 333ad8987b5d7db12393ccef30b2937f2033fedd SHA-256: 882094d7c0d1e4f0e445ffd30f069efa97356b933f547cf0062099f569ac1cf8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF link farm', suggesting a malicious intent to redirect users. ClamAV and ML classifiers flagged this PDF as malicious, specifically as a phishing trojan. The embedded URLs, such as https://jacksth.ru/123, are likely part of this malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9635

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/123?utm_term=la+divina+comedia+resumen+del+paraiso+por+cantos
    • https://teputire.weebly.com/uploads/1/3/0/8/130813428/pufadunesasase-kewexev-malalunowudo.pdf
    • http://3203epworthcres.com/environmental_impact_assessment_india7s7x6.pdf
    • http://theplafond.xyz/8775904359isv84.pdf
    • http://mosquito.codes/how_much_can_i_earn_while_on_disability_support_pensionz7wmw.pdf
    • http://viputixezererej.66ghz.com/dutabekobuwutadesanuveba.pdf
    • https://nuguviroguzemek.weebly.com/uploads/1/3/1/0/131070089/9374280.pdf
    • http://mscgis.net/tugas_dan_fungsi_penyuluh_agama_islam2juwy.pdf
    • http://marafonsport.site/683929702v0015.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vukusa/gain_dryer_sheets_ingredients.pdf
    • http://gudanomakorake.epizy.com/tadibexoloz.pdf
    • https://s3.amazonaws.com/bejokazemur/memorandum_of_sale_template_uk.pdf
    • https://s3.amazonaws.com/pokixovuxik/7425166780.pdf
    • http://gepuxaxevo.rf.gd/dd_5e_critical_hit.pdf
    • http://gavuzolu.epizy.com/aaromale_song_123musiq.pdf
    • http://redepulevinevux.epizy.com/extended_end_plate_moment_connection_spreadsheet.pdf
    • http://povojenase.rf.gd/what_are_the_types_of_qualitative_research_methods.pdf
    • https://s3.amazonaws.com/jalasilunaz/free_gba_emulator_for_windows_7.pdf
    • http://visifisaduz.rf.gd/video_helper_mac_firefox.pdf
    • https://s3.amazonaws.com/tosevud/express_vpn_apk_onhax.pdf
    • http://sexusig.rf.gd/charles_taylor_philosopher_a_secular_age.pdf
    • https://s3.amazonaws.com/buwosevax/nozumemexeruboxida.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e503.bin
47ed88f214cb696f7bc30da23c862ccaf4735ba31f709351934b1469b9481b72		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE503 5220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.