Malicious PDF — malware analysis report

Static analysis result for SHA-256 a156e803dea79065…

MALICIOUS

PDF

102.3 KB Created: 2021-03-24 04:35:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c777109dbefae58a1a00ab1a98f305e7 SHA-1: 44be40ed6aaad66e0f348944db16548f62fc6fb1 SHA-256: a156e803dea79065a65ef79f9de462ae70daebcd22e1e7bda16c48f8e3ef2550
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDFs, suggesting a link farm or SEO manipulation tactic. The ClamAV detection and ML classifier also indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a phishing or malicious redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5711

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=greenhouse+effect+pdf+in+marathi
    • https://rusajilema.weebly.com/uploads/1/3/4/8/134853265/8529076.pdf
    • http://cherrypimp.online/how_to_replace_samsung_xpress_c480fw_fuser_unitor5ns.pdf
    • https://tizemafuniture.weebly.com/uploads/1/3/4/6/134636649/xiviremudipiboma.pdf
    • http://cashfree.store/14093578608sjdag.pdf
    • http://baramijotafexo.mypressonline.com/69588058709.pdf
    • http://mjawebdesign.net/avatar_google_drive_linkcybwb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102Hussain
    • http://smc.org.inhttp://smc.org.in
    • http://www.indictrans.org
    • https://6c8027e1-9878-41b3-a9ef-32ba2b6bcd02.filesusr.com/ugd/185811_7c88d9c098ab4cb59b496a7d78f2c262.pdf?index=true
    • https://s3.amazonaws.com/napoledunadigo/toxeliripelatugen.pdf
    • https://e33362eb-94ba-4427-a888-6f4863169a18.filesusr.com/ugd/36ce96_6117c0841ca14de88e2f5694b3e8c49c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8cbb33a5-1804-4f14-b8a9-cb0a76cafdc0/how_to_change_my_actiontec_router_password.pdf
    • https://s3.amazonaws.com/lixuduwonifa/rutejebu.pdf
    • http://lawesiwewif.onlinewebshop.net/72884219921.pdf
    • http://xemigososefof.atwebpages.com/zarijeborezamefi.pdf
    • https://d5cf7a15-73c9-49c9-ad57-d4f0303abb0c.filesusr.com/ugd/0d002d_e78a5743781f4a778d8a7a4ecd9b9f71.pdf?index=true
    • https://s3.amazonaws.com/luxelula/spoken_english_classes_for_adults_in_nugegoda.pdf
    • https://s3.amazonaws.com/bubeto/vubawejowuvojefe.pdf
    • https://uploads.strikinglycdn.com/files/dfcc6289-848b-4dcb-a3a2-7b62406cc80c/xoxaxipoladib.pdf
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • https://gitlab.com/smc/meera/blob/master/COPYING
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e1a5.bin
e3b660df2a4e97f0603cc010bb462702e0f7bbef52aaaf9ec5c9f1efb8e62e0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE1A5 5392 bytes
font_01_sfnt_off0000f3cf.bin
1620336da6018abf771a3b64a4739dbc5cc5761e5bcfd31f9568e9163b5e6178		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3CF 2656 bytes
font_02_sfnt_off0000fed4.bin
c4bd90921816fba77802d0a65f8766df596e04b22ca065a8ea52a82e4f473321		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFED4 6040 bytes
font_03_sfnt_off0001125d.bin
e23308bb06bff427f4fe2d795198e016b2e9db23d45fd702446b15ef1a1323d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1125D 3048 bytes
font_04_sfnt_off00011e69.bin
6d897259d7ab9db79b0dbb16904cd99ff486aa7f4a475590a5d3e44eab6e0eed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E69 2328 bytes
font_05_sfnt_off00012921.bin
d4cda5a9ecb2558448f754249352cd4d73a8f7efff03060ee9a54ebf713292d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12921 2604 bytes
font_06_sfnt_off00013437.bin
b3976ad28991401f3a7e0d936621f3963ed8fd81aff5bedc9e25cf6548b1959b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13437 2108 bytes
font_07_sfnt_off00013e0b.bin
87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13E0B 4336 bytes
font_08_sfnt_off00014bac.bin
a18484070175de67f9446d528a4e4b105b58d28b306cb68f5b0ee49667c58b0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14BAC 10712 bytes
font_09_sfnt_off0001706c.bin
0415911e43b8105d8a6199a408195444484b26654c5bad18f23acbbff8687c89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1706C 17100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.