Malicious PDF — malware analysis report

Static analysis result for SHA-256 91654f32f95ff43c…

MALICIOUS

PDF

69.4 KB Created: 2021-06-03 06:56:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e4101c66a40f3ba005fa52a19f01bd59 SHA-1: 3ea909202aba1e75866ff0dbcbfaa4209071eab2 SHA-256: 91654f32f95ff43cd1fb61859221de76175489911c12588953d945da47ca4300
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDFs, suggesting a link farm or phishing attempt. The ClamAV detection and ML classifier also indicate malicious content. The presence of embedded URLs and the heuristic firing for PDF_SEO_LINK_FARM strongly suggest the document is designed to redirect users to malicious sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5837

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/pbw?utm_term=sunding+sd+563+c+manuale+italiano
    • https://kupelaranix.weebly.com/uploads/1/3/4/7/134729830/9744361.pdf
    • https://static.s123-cdn-static.com/uploads/4466143/normal_5fcd93b7d3880.pdf
    • https://cdn-cms.f-static.net/uploads/4454045/normal_606d4b198baf1.pdf
    • https://vetexugosopaviz.weebly.com/uploads/1/3/0/7/130738505/d28b676ee58.pdf
    • https://cdn-cms.f-static.net/uploads/4483070/normal_6024c3bfab509.pdf
    • https://cdn-cms.f-static.net/uploads/4496853/normal_604faf654c6ea.pdf
    • https://xamolugasopiw.weebly.com/uploads/1/3/4/4/134468056/8979401.pdf
    • https://kagopibuxewiki.weebly.com/uploads/1/3/1/3/131398156/4305104.pdf
    • https://cdn-cms.f-static.net/uploads/4472775/normal_600b98e6bcc4f.pdf
    • https://static.s123-cdn-static-d.com/uploads/4449789/normal_60b65551c9b68.pdf
    • https://static.s123-cdn-static-d.com/uploads/4485329/normal_60b24541a9696.pdf
    • https://cdn-cms.f-static.net/uploads/4424630/normal_603a4da3dcde8.pdf
    • https://cdn-cms.f-static.net/uploads/4381083/normal_606d3b7dba8e6.pdf
    • https://gojefofowuf.weebly.com/uploads/1/3/4/5/134596001/27eef9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8e670fd8-bb56-49f5-a110-26b4fa84faaf/91532958929.pdf
    • https://uploads.strikinglycdn.com/files/d6219edf-a8bb-4a0b-8445-96d8467a041b/what_are_the_basic_tenets_of_taoism.pdf
    • https://uploads.strikinglycdn.com/files/de97bde1-6ae5-4805-b38c-9559df29ddb6/22733696965.pdf
    • https://uploads.strikinglycdn.com/files/cca549ed-743b-4f01-ae97-d4bc04b338fc/25170087364.pdf
    • https://uploads.strikinglycdn.com/files/f505f286-3623-4c31-b200-f4c0b0fb1914/cazadores_de_sombras_temporada_2_capitulo_8_-_episode_8.pdf
    • https://uploads.strikinglycdn.com/files/4ec60f53-0974-4b5f-a6de-8b911f3396d9/lekalanugipesirixewonude.pdf
    • https://uploads.strikinglycdn.com/files/8cd52d8b-4851-42f0-a3b8-c555c64b5c49/romilusigi.pdf
    • https://uploads.strikinglycdn.com/files/45fab0d6-62e5-4d1d-9432-fd91931e87c5/how_can_i_be_lyrics_lauren_daigle.pdf
    • https://uploads.strikinglycdn.com/files/0691a465-aa0f-47ff-8543-5508cfefff56/is_ghost_recon_breakpoint_cross_platform_2020.pdf
    • https://uploads.strikinglycdn.com/files/067b5dae-4ef2-463e-b187-2bd389d8f1e7/88638228780.pdf
    • https://uploads.strikinglycdn.com/files/aa29ae43-56c5-424a-880b-ab96a789f1dc/how_do_you_convert_a_to_a_fillable_form_online.pdf
    • https://uploads.strikinglycdn.com/files/d2f1982d-8138-45dd-b212-ff9a4e03a734/what_ink_cartridge_for_hp_photosmart_c3180.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f26d.bin
d87453272b25fca6ce5b27cadbdaecc3d6a7a63dc28e446743a36ee4d2bdfafd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF26D 3052 bytes
font_01_sfnt_off0000fd50.bin
9efe6c33427568c6901249b343b7ae28797ede5c7c08b36017f4086676a02b8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD50 5588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.