Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e0f6a1b0b8c4b39…

MALICIOUS

PDF

96.8 KB Created: 2021-03-27 14:22:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 37c779d306d14ac93963944bd8c6520e SHA-1: db9aa75067a2d9e9f534e8cb2c774a905bb1158f SHA-256: 8e0f6a1b0b8c4b39b13a2d741271d32660cf53e3a1ab8fd89f456bf6386904c5
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a technique often used for SEO spam or to redirect users to malicious sites. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of such links, with one pointing to 'https://nipisod.ru/award?keyword=archimate+viewpoints+pdf'. The ML classifier and ClamAV detection strongly suggest malicious intent, likely phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8973

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=archimate+viewpoints+pdf
    • https://static.s123-cdn-static.com/uploads/4453118/normal_5fc95fe73584b.pdf
    • https://cdn-cms.f-static.net/uploads/4424364/normal_605599aad8abf.pdf
    • https://tilifopufobi.weebly.com/uploads/1/3/6/0/136049844/govufefujokalarek.pdf
    • https://bepikirutufuw.weebly.com/uploads/1/3/4/8/134866592/4624840.pdf
    • https://xisuviwilizej.weebly.com/uploads/1/3/4/3/134320176/delopenibesalo.pdf
    • http://jeweboz.iblogger.org/dopix.pdf
    • https://cdn-cms.f-static.net/uploads/4448735/normal_6041a7ed4a9de.pdf
    • https://static.s123-cdn-static.com/uploads/4370088/normal_5fcea740eb248.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/aa9a7578-78d6-4c2a-9624-2fc76b23d3bf/william_shakespeare_famous_poems_sonnet_18.pdf
    • https://uploads.strikinglycdn.com/files/4be50d1a-01e9-41f3-902b-67e26c029055/linksys_ea6500_extender_setup.pdf
    • http://mimiwuzoxul.epizy.com/13395381733.pdf
    • https://uploads.strikinglycdn.com/files/59818f9f-001c-40bb-86f3-5b3618f74baa/sovup.pdf
    • https://uploads.strikinglycdn.com/files/6cebba05-4085-4465-a01c-aacd437d88a6/34238647525.pdf
    • https://uploads.strikinglycdn.com/files/673d7511-5874-4eae-a12a-3775d9312952/sarah_plain_and_tall_book_read_online.pdf
    • https://uploads.strikinglycdn.com/files/bf461982-e297-4f65-ba47-919bdad5516e/where_can_i_leave_clothes_for_charity_near_me.pdf
    • https://uploads.strikinglycdn.com/files/d7acda5c-43c7-4653-a61d-fdfe80d87b28/surah_maryam_arabic_file_download.pdf
    • http://navezozewa.epizy.com/tokyo_ghoul_re_part_2_opening_lyrics.pdf
    • https://uploads.strikinglycdn.com/files/1fd5e58a-bfab-4215-be1c-853dadf23039/sharp_xe-a207_master_reset.pdf
    • https://uploads.strikinglycdn.com/files/6880451f-bb24-479e-acfd-1195afb7e156/atlas_craftsman_lathe_4_jaw_chuck.pdf
    • http://safadixuzet.rf.gd/members_mark_8_burner_event_grill_cover.pdf
    • https://uploads.strikinglycdn.com/files/279c0e02-fe5a-4141-a1e6-3611e86d1877/can_you_sue_for_defamation_of_character_in_texas.pdf
    • https://uploads.strikinglycdn.com/files/c3fa371a-b392-42aa-b434-8b91c284b0f8/95768548414.pdf
    • https://uploads.strikinglycdn.com/files/b11203c3-3bfb-493d-b65c-5b701d762aa6/58808231807.pdf
    • https://uploads.strikinglycdn.com/files/6d6daf11-e502-43d3-9025-0a07d3683f66/desojawesedabuzuwe.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015d08.bin
758a676f0ec839488cd73a43af235173325594482f7deb89d217bd996540da50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15D08 5504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.