Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e3531e1c7c466f7…

MALICIOUS

PDF

66.8 KB Created: 2021-03-28 05:37:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bdaac0249f4d37642cc6944fee078540 SHA-1: cd2cd96d71ca0d479f095471dcfe54497f040f92 SHA-256: 9e3531e1c7c466f776cf24d9740cef774e684834f08d7d4fec293c6e59a2e902
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file, identified as malicious by ClamAV and an ML classifier, contains numerous external links, suggesting a link farm or phishing attempt. The 'DOC BODY' content is heavily obfuscated and appears to be junk data, but the presence of the '7th grade math minutes pdf' keyword in a URL indicates a potential lure. The PDF_SEO_LINK_FARM heuristic firing further supports the interpretation of this file as a malicious SEO-manipulated document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9510

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=7th+grade+math+minutes+pdf
    • http://arm-watch3.club/2463599089219xb9.pdf
    • https://cdn.sqhk.co/zixapegof/jbcAMhc/counting_1_to_10_worksheets.pdf
    • http://coupons2020.info/kekimoxubepiwovoph6v4n.pdf
    • http://probmake12.xyz/lenovo_t400_bios_beep_codesidu0v.pdf
    • https://cdn.sqhk.co/zotofoza/icUidXy/vumezovogegujirukodi.pdf
    • http://originalhallyu.com/hp_officejet_pro_6830_software_for_windows_10arbnr.pdf
    • http://mydenverneighborhoods.com/nutritional_information_pringles_sour_cream_and_oniongwf1k.pdf
    • https://cdn.sqhk.co/wajidafix/Xsxjdgc/65095620514.pdf
    • https://cdn.sqhk.co/xupodafib/ghXhcjd/fowitefagonemad.pdf
    • https://cdn.sqhk.co/puzadowoke/ji3kJhj/tibemuwisowigifelasado.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://2ae8fa2d-8b21-4cd7-bd94-b44763fb9b4d.filesusr.com/ugd/8e1ec7_ba91710b791744778e5e57d2ed5bb130.pdf?index=true
    • https://6d4a8fb0-9a8a-4850-8aa1-2b5706121c9a.filesusr.com/ugd/ff2e72_721970bdca0e4bb0838e525044be9de9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/02aa3508-064e-41e4-8d2d-4f8259ee7efb/6912379378.pdf
    • https://uploads.strikinglycdn.com/files/f256cd06-59b5-4128-a5c8-6a1094a30fae/27678374178.pdf
    • https://uploads.strikinglycdn.com/files/af67643c-3846-4e1b-b508-f2213e394d2e/what_does_fanatic_mean_antonym_and_antonyms.pdf
    • https://8d6920c1-aef5-45ed-b1a0-e693d63948fb.filesusr.com/ugd/0a593f_945b12ccfc2f4b79ae487cd5993e7d6f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2a68e6f5-00ab-4d39-ad62-31713994e70a/82295014861.pdf
    • https://9abff256-b119-4e75-a612-dfc075f5428e.filesusr.com/ugd/c73517_30242285e7364fc4a73a330eb9129f2e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c288106c-6c2f-4aa8-b179-992d97bda576/32685502661.pdf
    • https://000bb656-a8cb-4e8b-9327-0b0ec99f56fe.filesusr.com/ugd/3f812e_dfd42b37b3bc4c66aae5cb2c70c43c5d.pdf?index=true
    • https://7404da97-7fcf-4d5f-9d5f-3f8644e6773a.filesusr.com/ugd/35f767_335d92a70138428499b6828865635a7c.pdf?index=true
    • https://ede36962-9452-4451-b182-fa4236ba9bc6.filesusr.com/ugd/83b1b3_9e10d3bfd5244abcb3770c7925291319.pdf?index=true
    • https://a26b494c-4f54-4b9d-aaa3-e02d462d315a.filesusr.com/ugd/c6268f_cd54800fdba148d9bfc00aca2cca870e.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d40b.bin
93eb175c3d94067b8725923719d624a02d00e98be3cd9d7c3aad30ee09c9fda1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD40B 5408 bytes
font_01_sfnt_off0000e64b.bin
fa87bf67a832615f0d3acf7e784223105e702661dc93adeb148cab0d426777cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE64B 10780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.