Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e06b9819b2bc5ae…

MALICIOUS

PDF

72.2 KB Created: 2021-03-08 17:49:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2675f3a0c4fc26ec99eb60d7e6af1a75 SHA-1: 74b62f82d2f3bfea190178eafacdb3d21b106d5a SHA-256: 8e06b9819b2bc5aee89d3260471efb91847ce2f3e4bfed66de44832025e5ff5b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://yafferge.ru/award?keyword=goodrich+tamassia+data+structures+and+algorithms+in+java+pdf'. This URL is presented within the document body, disguised as a search result. The ML classifier and ClamAV also flagged this file as malicious, indicating a high likelihood of malicious intent. The primary attack vector appears to be social engineering via a malicious link within the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8215

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=goodrich+tamassia+data+structures+and+algorithms+in+java+pdf
    • https://cdn-cms.f-static.net/uploads/4471484/normal_6045093dd6c42.pdf
    • https://cdn.sqhk.co/pibavasedegi/4jeZii5/cute_avocado_wallpapers_for_ipad.pdf
    • https://static.s123-cdn-static.com/uploads/4413966/normal_5ffc7f7b5d7bb.pdf
    • http://zefefiwova.medianewsonline.com/clases_de_crisis_comunicacion_humana.pdf
    • https://cdn-cms.f-static.net/uploads/4418579/normal_600d3bba5344e.pdf
    • https://cdn.sqhk.co/xajegakagiz/hdmciiR/flight_tracker_jfk.pdf
    • http://rivepozepuxar.mywebcommunity.org/finebival.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/764135b8-55bf-4068-ab8c-47339934895d/fulujudox.pdf
    • https://uploads.strikinglycdn.com/files/27d487b3-01ee-459b-8c77-c0c1dde7d15c/under_the_dome_lyle_actor.pdf
    • https://s3.amazonaws.com/jebokizez/mobogenie_iphone_6.pdf
    • https://uploads.strikinglycdn.com/files/acfd14f4-5469-43b1-91bd-023515dc82fd/what_is_the_definition_of_a_straw_man_argument.pdf
    • https://s3.amazonaws.com/fukezavazuj/caillou_theme_song_sheet_music_piano.pdf
    • https://uploads.strikinglycdn.com/files/c35815b9-c145-4b16-a0e6-c1e454482ae2/sc_dmv_permit_practice_test.pdf
    • https://uploads.strikinglycdn.com/files/ab60cf9a-5515-4cb9-baac-55a79d8b2563/xuligaxadizeponizevirure.pdf
    • http://bidusibebawuz.onlinewebshop.net/what_do_all_the_buttons_on_xfinity_remote_do.pdf
    • http://tebaputazaxuva.myartsonline.com/tuzudorar.pdf
    • https://uploads.strikinglycdn.com/files/7aee21c4-20f2-4458-bb61-8913a97bc33e/46075412495.pdf
    • https://uploads.strikinglycdn.com/files/ce970f4c-1756-4ee6-ad0e-1bc33bd8d999/94426466710.pdf
    • http://forezepolutaju.onlinewebshop.net/romeo_and_juliet_argumentative_paper.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010297.bin
c71634a0b8edec96aee1f978ded36fd500820b29d7f2ce29cf8fb188f3fe308d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10297 5736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.