Malicious PDF — malware analysis report

Static analysis result for SHA-256 a026420a7188278c…

MALICIOUS

PDF

96.8 KB Created: 2021-03-04 15:29:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 109b0c9cc4fe6a122d11bc46fb579499 SHA-1: c04965a9b7726e5fb496a4a10630d650306dcd75 SHA-256: a026420a7188278c799d70ba6b0c0d0f978125aa2ccd7dec2d955ce5d4d0d953
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, many pointing to disposable domains, suggesting a link farm or phishing campaign. The ClamAV detection and ML classifier indicate malicious intent, likely related to phishing or malware distribution. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic strongly suggest the document's primary purpose is to redirect users to potentially harmful external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7698

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/award?keyword=what+is+considered+middle+class+in+alabama PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4501486/normal_603f48d02c2aa.pdfIn PDF document text
    • https://cdn.sqhk.co/togodawexu/l8VlEjb/charlie_the_duck_free.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4446152/normal_5fce00beddb8b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4475864/normal_5fca2ee44b225.pdfIn PDF document text
    • https://cdn.sqhk.co/juselivo/ia19jdV/suppression_vs_oppression.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373505/normal_602cae9114bc4.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/3f933311-5916-4e2c-8d17-edd7d436b920/the_essays_of_warren_buffett_book_review.pdfIn PDF document text
    • https://fbaba6ab-37cf-477f-82bd-e10a416eccda.filesusr.com/ugd/3c8574_23708acc3a0c4d3184deed4214f3d1a5.pdf?index=trueIn PDF document text
    • https://de2a8dfc-dc8d-4d62-be3b-f97abdd17bf6.filesusr.com/ugd/c722c2_4860058405e747b4bbec59b00d950b24.pdf?index=trueIn PDF document text
    • https://ccd4a2e6-63e2-4dcb-a02e-1ae1253dabcc.filesusr.com/ugd/059ff1_630998d0550f401d829445e289a14f86.pdf?index=trueIn PDF document text
    • https://5637a596-61ce-4e67-8953-8fd9cb84b940.filesusr.com/ugd/c20ea7_53a1f189872d43169bfed99e04a11d98.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5cc5389e-3aba-4278-8682-5f6fc936dcfd/21000131751.pdfIn PDF document text
    • https://793776f3-68b4-44d3-947a-596ce2c6f652.filesusr.com/ugd/4e977a_d8f0a50a104d4a048595bbc8fcd00058.pdf?index=trueIn PDF document text
    • https://ebba3e40-d49f-4cc8-b137-373bb1124918.filesusr.com/ugd/384ea4_38bf2ea2ea2c4669beaf7e3173b06023.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/02a65aa9-b4f6-4401-80ed-802b542bbbe9/what_snack_pairs_well_with_red_wine.pdfIn PDF document text
    • https://2f2ab42d-e0b4-4bd3-aa50-2430da1ff5fc.filesusr.com/ugd/eaf48f_9a89bb2b45b14c80981e3832e4ffbc4d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/04f27bc8-0cb9-436f-9a41-e6d47b14640b/35098055016.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ea828bfe-a2f0-4d30-84bd-e582bae2bf21/14578339050.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/826d7d44-fb84-436c-b907-93ad0cf22d33/marotamodujojagibo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ec9ef88d-8849-4a48-a9cd-6a25b2993430/zawowesagebepebadere.pdfIn PDF document text
    • https://8ecf7690-1f99-4e28-a4b6-3228ba9731d7.filesusr.com/ugd/63d3ad_102d3220fe714153a95b8c46bffeadd6.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015e49.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15E49 5332 bytes
SHA-256: 0036bf3f6217cc484f38c2713e69bd8adab1c3c228d6a9847b029114a3c27ba6