Malicious PDF — malware analysis report

Static analysis result for SHA-256 89f1c2ce44705c1d…

MALICIOUS

PDF

62.7 KB Created: 2021-02-23 02:37:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c9ad71cdbfe51093105475314ee169df SHA-1: 96d484d97cdeacddfadfbfcff0962b482dda806f SHA-256: 89f1c2ce44705c1dcf4dd58b7fc9f57b48654cadd1a71a7a10025f711cb93d59
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, directing users to various URLs. This behavior, combined with ClamAV detection and ML classification, strongly suggests a phishing or malware distribution attempt. While no scripts were explicitly extracted, the PDF structure and link farm indicate an intent to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8518

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/strik?utm_term=stylish+text+png+logo
    • https://cdn-cms.f-static.net/uploads/4468827/normal_602096ead384f.pdf
    • https://cdn.sqhk.co/vixukose/CTjhlgQ/capitalist_meaning_in_urdu.pdf
    • https://cdn.sqhk.co/rujiwujik/SgfhhdC/rolling_stones_t_shirt_women_s_black.pdf
    • https://cdn.sqhk.co/gujadozede/cx6gjjb/washable_face_masks_made_in_usa_only.pdf
    • https://furiraduwonejos.weebly.com/uploads/1/3/4/8/134870793/kugak-jebimedijige-radobopaka-kesobusetak.pdf
    • https://cdn.sqhk.co/jigidokasaga/Zjc6jjn/russian_police_simulator_mod_apk.pdf
    • https://cdn.sqhk.co/legezuseg/githd0t/sea_game_mega_carrier_cheats.pdf
    • https://cdn.sqhk.co/ximegawaso/geONsie/13280573008.pdf
    • https://polavimiwusirew.weebly.com/uploads/1/3/2/6/132681763/f0533.pdf
    • https://voxivunesiru.weebly.com/uploads/1/3/1/4/131407918/5221958.pdf
    • https://static.s123-cdn-static.com/uploads/4369779/normal_5ff09470004aa.pdf
    • https://cdn-cms.f-static.net/uploads/4464055/normal_5fd0dffa6df2c.pdf
    • https://cdn.sqhk.co/goluxewimabu/PjeCrGu/66994317800.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://xerofefulut.rf.gd/origami_heart_box_instructions_step_by_step.pdf
    • http://gadoxijumulop.epizy.com/jnu_delhi_form_2018.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c5dc.bin
1213a9932949f9af69df3550b46fccefa826da254db2b1966097e25c8ce66799		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5DC 5048 bytes
font_01_sfnt_off0000d71a.bin
0c7ec2d4299692bc72244f60f6a7627bf89f4172e223f820fc499e55183c93d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD71A 11116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.