Malicious PDF — malware analysis report

Static analysis result for SHA-256 a205d73b951cf505…

MALICIOUS

PDF

83.2 KB Created: 2021-03-20 15:26:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-29
MD5: b2516a723c57b6fc9f6b65e00a39afb7 SHA-1: 290ed9cab434dff7d33fc303ff67e7da3b6d9437 SHA-256: a205d73b951cf5058f321e18178f4aff1b06a8900aabb6ebbc834d6c64977571
154 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which point to other PDF files, suggesting a link farm or SEO manipulation tactic. The ClamAV detection and ML classifier indicate malicious content, specifically identified as a phishing trojan. The embedded URL and the document body's deceptive title suggest a phishing attempt to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5384

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=asmaul+husna+dan+artinya+lengkap+99+pdf+download PDF link annotation
    • https://cdn.sqhk.co/litopozuf/Uihjbjc/jack_adventure_2_platform_jump_run_fighter.pdfIn PDF document text
    • https://zanazajerepa.weebly.com/uploads/1/3/4/0/134012527/6522997.pdfIn PDF document text
    • https://lovebaxubifutu.weebly.com/uploads/1/3/4/3/134322000/bugow.pdfIn PDF document text
    • https://cdn.sqhk.co/raninogozo/cdTnie8/luminocity_festival_2020_new_york.pdfIn PDF document text
    • https://cdn.sqhk.co/modajili/giiFjgK/chemistry_books_free_for_iit_jee.pdfIn PDF document text
    • https://cdn.sqhk.co/bitizulokiva/bgjzgcA/arcade_fighting_games_play_online.pdfIn PDF document text
    • https://barosowuni.weebly.com/uploads/1/3/1/3/131398377/riputazipesukogugof.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/a8ebc380-431a-46ac-9a8d-d008c96f8a65/bayliner_service_near_me.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/be0691c3-c14f-4ab3-8101-88799c1374d1/balid.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/28ed5f34-4230-4633-96b7-81fad66614a6/kenmore_accela_wash_clean_washer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a517307-9b2c-48d7-b697-fa84fb47e315/27679831577.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a7de3d64-e0b1-4c4a-971d-d6f2f10e1904/left_behind_series_book_3.pdfIn PDF document text
    • https://s3.amazonaws.com/zafijukopa/62598555562.pdfIn PDF document text
    • https://s3.amazonaws.com/rokuwapesu/79153087178.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f28591ab-4fe4-4953-99c5-8289d8550430/how_do_i_reset_my_moen_garbage_disposal.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0531685-a968-479f-801a-bbd1df24ade9/tatizivajeliz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e5de8ef5-c86a-4ff1-8b75-f8ec2ed3a35b/hayward_sp3400vsp_ecostar_vs_variable-speed_pool_pump_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/57fed938-cbec-4150-9971-9a6f3052942c/principal_data_scientist_salary_nyc.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9146e04c-6bde-48d8-85b7-26f700dd97f4/27313319104.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/038ce252-c56c-4543-be64-95a613c7176f/factory_reset_dlink_dir-890l.pdfIn PDF document text
    • https://s3.amazonaws.com/suzujewa/luther_season_6_episode_guide.pdfIn PDF document text
    • https://s3.amazonaws.com/fuzafuzeruwit/11529897670.pdfIn PDF document text
    • https://s3.amazonaws.com/bopuxosavubare/scoreboard_template_css.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010c59.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10C59 5860 bytes
SHA-256: d3d214fe60eac9263681b203c064acfb21f5dcea71c520773636c959c0d9e6f3
font_01_sfnt_off00012030.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12030 10816 bytes
SHA-256: 50ea9ac42258a5e000ba40b3ae14b3e67ff6c0dd7ccf0ab7ff77c948e9c58fa2

Open this report in the interactive analyzer, or submit your own file for analysis.