Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bdc08b4da635f69…

MALICIOUS

PDF

66.7 KB Created: 2021-03-20 08:59:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f22ae87e18a44b60c6fb624fbe1ef300 SHA-1: e246887cf973bdf5614ca5e12287cd13b30580b7 SHA-256: 9bdc08b4da635f69597b2f6ff6e44de960eb396d591174a383d246d67b4a25d6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. It contains a large number of external links, suggesting a link farm or a method to distribute further malicious content. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic strongly suggest the document's purpose is to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9208

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=gtd+audio+g-622h+200+review
    • http://pazifelurup.medianewsonline.com/54005604720.pdf
    • http://nanonewe.scienceontheweb.net/bolenapax.pdf
    • https://cdn.sqhk.co/kevovevude/hhgJhiI/no_gba_emulator_cheats_for_pokemon_emerald.pdf
    • https://cdn.sqhk.co/tatolodam/cthf3nq/4540293223.pdf
    • https://cdn.sqhk.co/tobepeliv/4Yvgdjc/nike_run_club_app_apple_watch_not_working.pdf
    • https://cdn.sqhk.co/xolanikipiz/hhnhahc/white_wooden_tripod_floor_lamp.pdf
    • https://cdn.sqhk.co/boxoveru/bibggQU/50592071773.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d6b39e1f-9dd4-4de8-8755-2076ee7e1ca1/sijuzukaropinemirawelexaw.pdf
    • https://uploads.strikinglycdn.com/files/d741e4f9-a49b-423e-a77b-7f447a1ec30d/canon_mp190_manual_utilizare.pdf
    • http://samajusinifako.atwebpages.com/que_es_una_forma_de_comunicacion_no_verbal.pdf
    • https://1e16da7b-5b4f-4122-a3c4-5c88c9d97cf7.filesusr.com/ugd/83f04e_219494ee8a904627aab31a292c33a910.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a8ba9c3c-c7eb-4780-9856-87305ec65ba3/durunudijanitumo.pdf
    • https://uploads.strikinglycdn.com/files/cb56d6d0-3bf9-480b-b62f-a3332831b880/the_african_american_odyssey_chapter_1.pdf
    • http://vaxuraribo.rf.gd/63257222693.pdf
    • https://uploads.strikinglycdn.com/files/40b5134a-c023-43fb-9483-2a0ca4e93f8b/chefs_choice_3_stage_manual_knife_sharpener_instructions.pdf
    • https://be8f41f0-9ddd-434d-ab6d-aa755a40b80d.filesusr.com/ugd/726d9c_64bcbbe4129c4f0fb954aa86d26443ae.pdf?index=true
    • https://uploads.strikinglycdn.com/files/289c7eeb-3ea1-4cf5-a8f2-0bdbb2a14225/how_to_get_rid_of_pimple_scars_on_face_naturally.pdf
    • https://uploads.strikinglycdn.com/files/99ce0931-300e-4f5f-a399-1cb7171b63b2/dan_brown_origin_critics_review.pdf
    • http://kamigawox.atwebpages.com/norawagidepidivisiw.pdf
    • http://namezenidel.onlinewebshop.net/cancion_del_mariachi_guitar.pdf
    • https://uploads.strikinglycdn.com/files/93cd5368-fbdf-4c2e-a4b8-bec68533d026/grill_cover_that_fits_weber_spirit_210.pdf
    • https://5c839259-519f-4cee-a1a2-6639d654070b.filesusr.com/ugd/140efa_ee6eee3a323a459d90db2728cdee0ff0.pdf?index=true
    • http://wagadepepixapu.epizy.com/biological_classification_answers.pdf
    • https://uploads.strikinglycdn.com/files/56bbe5ae-8820-4bf9-8709-e9a55dd3b7ae/personal_development_plan_ideas_for_managers.pdf
    • https://e40da922-b0e4-44be-9878-2d4898ccab21.filesusr.com/ugd/3a38e0_56fa35924faa487bb85c39ae5a05b996.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dfbf.bin
084fc8b93c60e412babd2c802ae6686b8242ca5e7ffb2edcb2576bbee1e38849		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFBF 5520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.