Malicious PDF — malware analysis report

Static analysis result for SHA-256 90272637cdf15db3…

MALICIOUS

PDF

72.0 KB Created: 2021-03-08 19:40:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-17
MD5: 23ec776920ba923f7a0546c2dad913d6 SHA-1: 2edeeea9d4932dc1fa499fbe4d2d2ff83a39e77e SHA-256: 90272637cdf15db343f8dab82f0f6612625a0d52cdc8ffbd7d036ba6b90feb04
242 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.7771

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=monster+bookmark+template+pdf In PDF document text
    • https://pejegenipejixe.weebly.com/uploads/1/3/4/8/134848799/8d5628.pdfIn PDF document text
    • https://motonolezigit.weebly.com/uploads/1/3/2/8/132814123/ropuropilusodix-rezurugo-zoxumesazajolob.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://28ed73df-463f-41d7-bc87-4635118fd8e0.filesusr.com/ugd/74acc8_de26fe45d6b34819bf42dd83715e3c0d.pdf?index=trueIn PDF document text
    • https://95a83a18-022f-4aa5-9dc2-588eac4c5c4a.filesusr.com/ugd/ccb6ab_66183d3507b6422fa76e3bc68403b602.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/60c9eb09-46ce-43d0-a8f7-6d8ec60e510f/didipujurizanag.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6b07d3f6-0f8e-473d-9a14-27c29895db31/monster_2003_streaming.pdfIn PDF document text
    • https://77701ba7-c5ad-4750-ab17-5b03548f7fc0.filesusr.com/ugd/9a242c_813b2b692de2488c9bc245353a21479d.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gateme/zadigone.pdfIn PDF document text
    • http://navibizo.rf.gd/kafuwogejozokesuvakik.pdfIn PDF document text
    • https://4900ecec-7ac1-411c-be2c-b077674085c8.filesusr.com/ugd/493135_79c18896ff644ae48cd95c72777e21de.pdf?index=trueIn PDF document text
    • http://dexifuv.epizy.com/molecular_genetics_lecture_notes.pdfIn PDF document text
    • https://s3.amazonaws.com/sajatesawodiji/2007_buell_xb12r_service_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/bejikefowu/wevunimak.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3d1ebd03-38f9-4ec6-aa75-c8ac1de92715/mizebenumiwuxurilutege.pdfIn PDF document text
    • https://66f9c2bc-82a6-463d-9ccd-9c94d3d8805e.filesusr.com/ugd/b361c6_1fb14fbc6cfa4ffbaabe2d27ac38bc91.pdf?index=trueIn PDF document text
    • https://d52369c8-37f2-40d9-9d5f-d682b3b4a2e4.filesusr.com/ugd/6d5a7b_86ba8c5cde8a42d094014772d2c169fb.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/157e614e-9950-450f-8bcc-d3928a5cf198/what_is_atf_4_transmission_fluid.pdfIn PDF document text
    • https://s3.amazonaws.com/pizexopenaxu/rodrigo_concierto_de_aranjuez_sheet_music_free.pdfIn PDF document text
    • http://mezanemuwagoso.rf.gd/fezarejomibewutanetovubo.pdfIn PDF document text
    • https://1c684d3d-b1aa-4d58-8f8e-408f9cf37fac.filesusr.com/ugd/64d889_2eb0b915a6c347bbb3df8d51cec038c4.pdf?index=trueIn PDF document text
    • https://486bfeb6-87d8-40a3-812f-3449909c9139.filesusr.com/ugd/81b904_48c02d5a21584147be082a3a8dea853f.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/tumuzu/85976705085.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eda9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDA9 5396 bytes
SHA-256: 94fa41f07838148defd1a712e6d908981bc346fbc4004d1ab0847ecd13a34262
font_01_sfnt_off0000ffef.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFFEF 10184 bytes
SHA-256: ad3add34d1e718b2196fef838b03300656da98d52837d66ea11a7c21bc022599