Malicious PDF — malware analysis report

Static analysis result for SHA-256 93b8a2fd604e222f…

MALICIOUS

PDF

73.6 KB Created: 2021-04-05 14:08:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6c33ae35280c1333a77e5de52b60d4c SHA-1: 849d63df839ecc845217984fd84163ce0cfd8221 SHA-256: 93b8a2fd604e222fa5c8ffaa027c3fa264c98c0365cafcdbc3b1ca7f320d6c79
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ML classification and ClamAV, as malicious. It contains a large number of external links, many of which are SEO-optimized, suggesting a link farm or phishing attempt. The primary malicious URL identified is https://jacksth.ru/award?keyword=public+service+commission+uganda+aptitude+test+questions+and+answers+pdf, which is likely used to direct users to a malicious site or download a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9618

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=public+service+commission+uganda+aptitude+test+questions+and+answers+pdf
    • https://fuxakenaz.weebly.com/uploads/1/3/4/5/134589300/xetiruditizuxowe.pdf
    • http://vesibigezedenu.iblogger.org/47234281577.pdf
    • https://neruwutuwi.weebly.com/uploads/1/3/5/9/135960217/3283413.pdf
    • http://xenojupu.mywebcommunity.org/o_que__candombl.pdf
    • http://kuxemanes.medianewsonline.com/valajepofub.pdf
    • https://maremuwalivode.weebly.com/uploads/1/3/4/6/134632863/2b0e25e4ea56ee9.pdf
    • https://dopikilazobowu.weebly.com/uploads/1/3/4/4/134488506/zovavodudaxe_filite.pdf
    • https://garokeresikiga.weebly.com/uploads/1/3/4/5/134584686/faa63a5093bd6a.pdf
    • http://mezeferatitora.scienceontheweb.net/health_canada_food_guide_2020.pdf
    • http://kutatit.getenjoyment.net/81867351680.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://efa91360-7c21-416c-9d60-3189e0beb381.filesusr.com/ugd/42ffc7_b6f7163e49404bc4ad1408a5507af393.pdf?index=true
    • https://02aee961-309f-4c8b-9790-08f12c26706e.filesusr.com/ugd/8321db_dddeee7dd1e346269fc3223bb28811ed.pdf?index=true
    • http://pelebirepopo.onlinewebshop.net/52174720883.pdf
    • https://uploads.strikinglycdn.com/files/0e93257b-9a6d-44a9-90f6-14c708dd6320/the_power_elite_book_summary.pdf
    • https://4e4301d6-cc9a-4939-960a-6b497c1efea6.filesusr.com/ugd/d78803_f32d16ab386944db9f7fd40c1d97104d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cc197bf9-9816-4241-95f9-981dd688575c/puxasaxoxusivisavo.pdf
    • http://dadosekim.epizy.com/84093980328.pdf
    • https://uploads.strikinglycdn.com/files/63274fdb-117e-4092-b71d-2ed64f548d5e/ergo_360_infant_insert_pillow.pdf
    • https://uploads.strikinglycdn.com/files/400e5ed6-c2bb-4a7e-b2cb-d2dd5651d8b6/how_to_clean_saeco_aroma_espresso_machine.pdf
    • http://fukokikedusej.epizy.com/aluminized_mylar_sheet.pdf
    • https://uploads.strikinglycdn.com/files/cd4a04c4-f049-4cdd-a8f9-5e30bad082ca/one_dark_throne_series.pdf
    • https://uploads.strikinglycdn.com/files/a77eea26-7fc1-4158-8398-fcda0c84154f/acer_aspire_v5_touch_screen_price_in_india.pdf
    • https://uploads.strikinglycdn.com/files/2b41f9bd-4abc-48a4-a363-b8c616228389/new_holland_tc30_parts.pdf
    • https://uploads.strikinglycdn.com/files/c46bec69-c9fb-45cf-8a05-d9167c26e697/pafolurafesov.pdf
    • https://uploads.strikinglycdn.com/files/f0d08396-5c78-434c-bf31-3e057b681ea4/todap.pdf
    • https://uploads.strikinglycdn.com/files/056e15b9-b9de-4c34-833b-87e1fb7b554e/a_level_biology_specification_checklist.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb7b.bin
0219381a75a05fa234ff5225642e7b25ddd4f0f50552ed17d269c34ded19c76d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB7B 5896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.