Malicious PDF — malware analysis report

Static analysis result for SHA-256 887d0197a8b9f7a2…

MALICIOUS

PDF

82.8 KB Created: 2021-04-01 22:52:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dfd370df7cf12abbdf6a0a49a7a0f359 SHA-1: 6f5b9826acedaeb0e82fc4f725cc246e82271aab SHA-256: 887d0197a8b9f7a2232b7395c7b080ade5197782128b4deb1751de8531fa2fdd
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, identified as a PDF link farm, which is a common technique for SEO manipulation and distributing malicious content. The ClamAV heuristic also flags it as a phishing trojan. While no scripts were extracted, the presence of numerous external URLs suggests an attempt to redirect the user to potentially malicious sites.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3548

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/strik?utm_term=lazarillo+de+tormes+tratado+1+english
    • https://cdn.sqhk.co/dofewijoras/jjUgiOL/rimufetukimelirewonigij.pdf
    • https://cdn.sqhk.co/xopuwatipo/VgjiiRg/71024146998.pdf
    • https://sutopudebesi.weebly.com/uploads/1/3/1/4/131438093/3780767.pdf
    • https://cdn.sqhk.co/dusawugivepo/IwQgggf/rodebawirexujefur.pdf
    • http://dupuladusudired.mypressonline.com/wuwuwip.pdf
    • http://sovuradema.medianewsonline.com/97332686066.pdf
    • https://static.s123-cdn-static.com/uploads/4487625/normal_5fcc2d9c9f465.pdf
    • https://kuvovoturuja.weebly.com/uploads/1/3/5/3/135322548/7922902.pdf
    • http://tinesemexogo.mygamesonline.org/sda_bible_commentary_genesis_to_revelation.pdf
    • https://static.s123-cdn-static.com/uploads/4417669/normal_5fdf2ef24f540.pdf
    • https://cdn.sqhk.co/rilowikapaz/icIcihV/23166290757.pdf
    • https://dadekubezaxinis.weebly.com/uploads/1/3/2/7/132740399/6237433.pdf
    • https://cdn.sqhk.co/bapisolel/rnu4heP/zezixo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://599b09cd-7b6a-4758-94a3-08a08d316165.filesusr.com/ugd/628a76_d22600d692af4baca009d42b6ca22466.pdf?index=true
    • https://367e539a-c541-4439-991c-4bf2bef2aa7a.filesusr.com/ugd/77d535_94c97766fb494421816decef95d6285b.pdf?index=true
    • https://a7da3e60-63c8-46c1-a846-eab7df628ed2.filesusr.com/ugd/bba345_c38e9ab94a7747b1ac6e109b919e6a96.pdf?index=true
    • https://eeff404e-5492-4914-a1d7-e39d1f35e6b2.filesusr.com/ugd/e58d70_dfa2df5e35bb451593fdfdf4e3e06a2c.pdf?index=true
    • https://528f6e5c-6927-42ef-b7a5-a8f9c349750c.filesusr.com/ugd/07b979_04ae3e1a021a43bd8faedd864ac93869.pdf?index=true
    • https://f6ea5e03-7e7c-4dce-82ee-fd5d223759ef.filesusr.com/ugd/d203ad_1a371bdce89b4d1ab864c3283170a347.pdf?index=true
    • https://50bf384a-eeac-4f26-a262-e2ba1a5e00ba.filesusr.com/ugd/17159d_61023e9003a540fa9e0f74e70ac5a67b.pdf?index=true
    • https://7a3463bf-3117-47cc-940f-ad9d50d05675.filesusr.com/ugd/9f2514_84a6616ecaa14267b2a57b18d3e2b39d.pdf?index=true
    • http://timagugovoxo.onlinewebshop.net/nucleophilic_addition_reaction_of_carbonyl_compounds.pdf
    • https://27aa3d6a-fcc1-4574-a8e0-77dd5bf64dcc.filesusr.com/ugd/7683ec_1c266e65247a407e978a25258a142cc8.pdf?index=true
    • https://901c4554-6fda-40bf-8344-1f1538f5dc06.filesusr.com/ugd/a76634_a4378b696c4944938a1f4b42ba20b38b.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001088a.bin
523f9dcc2ccecd953d4b57b12f40f62a9e8cb607b839fd1ba4b670b75c93c170		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1088A 5072 bytes
font_01_sfnt_off0001199f.bin
9284f289420883195563f66c42408143f8d0b9b86b866de4482c812f718f59bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1199F 12044 bytes
font_02_sfnt_off0001406e.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1406E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.