Malicious PDF — malware analysis report

Static analysis result for SHA-256 98fca41d7e55948f…

MALICIOUS

PDF

81.6 KB Created: 2021-03-14 07:55:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aab3a4afe1fee87cf4415c372ee7d3d7 SHA-1: a157dcb0c277afa6f3d00832ac8cfbcb6c7d88fe SHA-256: 98fca41d7e55948f976359798d8b77cc3705c86656f97ed88bf40881d66b3228
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains numerous external links, many pointing to benign-looking documents, but also includes a suspicious URL likely used for phishing or malware distribution. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting an attempt to manipulate search engine results or distribute content widely. The ClamAV detection and ML classifier further support its malicious nature, likely as a phishing or trojan delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8088

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=biocentrism+pdf+download
    • https://setabuzi.weebly.com/uploads/1/3/0/7/130775645/fuwunenusa.pdf
    • https://katebobuwusa.weebly.com/uploads/1/3/1/3/131384636/wipodile.pdf
    • https://sekeratogo.weebly.com/uploads/1/3/4/6/134683690/fututuzomef.pdf
    • https://lewaxirilukuxod.weebly.com/uploads/1/3/0/8/130813115/0f3874cbccb.pdf
    • http://instacopyrighthelpteam.com/49319374891uwj1f.pdf
    • http://shoop-fo.ru/anycast_wireless_display_user_manualjb39f.pdf
    • https://kepijiloxa.weebly.com/uploads/1/3/4/1/134108658/vibekulizikitevupe.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/toliwudalamem/how_to_calibrate_analog_bathroom_scales.pdf
    • https://77bc4ea4-de20-41c0-a463-a5315db628d9.filesusr.com/ugd/2c69e3_5fd58ebb24944ca9b672674929e92ce2.pdf?index=true
    • https://s3.amazonaws.com/fifomi/finada.pdf
    • https://s3.amazonaws.com/vufuzewasi/66952836247.pdf
    • https://107a3552-ed21-4f5d-95e3-510b6eae4444.filesusr.com/ugd/21bbef_2d0096900cab42f486e71ce967571f77.pdf?index=true
    • https://s3.amazonaws.com/jupevuxirapi/ruzekijogova.pdf
    • https://f4dd034e-00c7-465c-b850-fb2d75accad5.filesusr.com/ugd/769f78_5e72b371fb574616b6852e68e4fb6d18.pdf?index=true
    • https://s3.amazonaws.com/sosupejuxofedo/14244286109.pdf
    • https://667abc8f-92ca-45d9-bc9d-789c80a68858.filesusr.com/ugd/dcd78f_a66a932718e3487c838ed68e721e911b.pdf?index=true
    • https://s3.amazonaws.com/mefovu/53096919335.pdf
    • https://s3.amazonaws.com/defujo/riromewogen.pdf
    • https://64f1e6a9-4530-4009-9f9b-67b91dd69f79.filesusr.com/ugd/76b6de_948c59758bc84fc1827587f2048dc777.pdf?index=true
    • https://s3.amazonaws.com/widiku/modern_bed_elevation_cad_block_free.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012024.bin
66472c1c402484fe9e98d394a87b64262875d17cb8f86945f392fcade898b47a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12024 5444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.