Malicious PDF — malware analysis report

Static analysis result for SHA-256 a387d7c62753eb1b…

MALICIOUS

PDF

99.6 KB Created: 2021-03-09 13:40:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a800381b562cd4ea056a1b689cc1a8a SHA-1: 2a3fa8514adcbfa9bc327fb24735e81ddc1eab51 SHA-256: a387d7c62753eb1bfc3cde0943e972df0315c6f4afd742c07065ccb84d86d3aa
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are SEO-optimized and point to potentially malicious domains, indicating a link farm or phishing attempt. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports this assessment. While no scripts were directly extracted, the presence of numerous external links suggests an attempt to redirect users to malicious content, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier clean score 0.1915

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=biodata+format+for+marriage+in+marathi+language+pdf
    • https://wolunogejafijut.weebly.com/uploads/1/3/4/6/134649672/5177638.pdf
    • https://piwitaxoz.weebly.com/uploads/1/3/4/6/134603619/905da411a.pdf
    • http://edalovert.xyz/81498695022embst.pdf
    • https://wisipuluxix.weebly.com/uploads/1/3/1/3/131381675/bixuzoxusovaruj_zilodomimusemo.pdf
    • https://buxudirikebipur.weebly.com/uploads/1/3/1/1/131164004/1238930.pdf
    • https://kerumeso.weebly.com/uploads/1/3/4/6/134641164/tapumuxuwipoxe-gujivilidu-gupuzexubiziwo.pdf
    • https://cdn-cms.f-static.net/uploads/4486199/normal_602ad6aab9ec5.pdf
    • https://cdn-cms.f-static.net/uploads/4382949/normal_601baffa78650.pdf
    • http://magnifioco.site/32960830457sn73.pdf
    • https://bobusenig.weebly.com/uploads/1/3/4/8/134866704/kizowod.pdf
    • https://gubukaxonular.weebly.com/uploads/1/3/5/3/135349028/gupaza.pdf
    • http://goodsun.space/velocity_and_acceleration_problems_worksheet_answersm7vpc.pdf
    • https://cdn-cms.f-static.net/uploads/4367019/normal_601dc63149bbf.pdf
    • http://pet-guru.shop/77388921261xj4uc.pdf
    • https://bovabesizepin.weebly.com/uploads/1/3/1/3/131383515/2560877.pdf
    • http://floradoma.net/fanebewojalx50s9.pdf
    • https://tirokaroxere.weebly.com/uploads/1/3/2/7/132740449/baweleziporeluroru.pdf
    • https://static.s123-cdn-static.com/uploads/4408471/normal_5fc8cf7b948ab.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102Hussain
    • http://smc.org.inhttp://smc.org.in
    • http://www.indictrans.org
    • https://uploads.strikinglycdn.com/files/312f15ad-d904-4ea4-b516-af7e5b5aec23/military_survival_guide.pdf
    • https://uploads.strikinglycdn.com/files/784d2a68-527c-4cfc-b45d-d67ebd41ac56/2006_vw_jetta_gli_owners_manual.pdf
    • http://jizizubusede.epizy.com/renud.pdf
    • http://ritipoma.epizy.com/xibokabokawivedutov.pdf
    • https://uploads.strikinglycdn.com/files/f3ffff42-3409-446c-b982-52dee97666d4/can_i_get_my_driving_record_emailed_to_me.pdf
    • https://uploads.strikinglycdn.com/files/83ae8205-b642-4629-ab9f-cac0ea8f93fd/76656037699.pdf
    • https://uploads.strikinglycdn.com/files/9a32c875-ee2b-4c3d-855b-b7b0b3ce8d7a/psycho_cybernetics_workbook.pdf
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • https://gitlab.com/smc/meera/blob/master/COPYING

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012329.bin
af02fda430cce755f7d7488336d0a6e9e01fa3d737b6382cdac46f46ceba86bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12329 5324 bytes
font_01_sfnt_off00013522.bin
ff8289fcab20b7b81f5dc7c47458689637225d7099c48932a46d6898d6123f6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13522 2656 bytes
font_02_sfnt_off00014027.bin
f1be7acdc1233dfd547078f0a223d5430f641ffade88df9d521fa5b0b675a367		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14027 6076 bytes
font_03_sfnt_off000153e0.bin
b5c6b6e0c9ada0bf1c6b02372d38a6194b0fc304f51b15768a03b7bd417def48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x153E0 3048 bytes
font_04_sfnt_off00015fef.bin
18b250f24057ce91e4a59b25c1eec79fa8b4d7e2cb9f6c0de02c7e032a072fd4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15FEF 2328 bytes
font_05_sfnt_off00016aa4.bin
5fc9e2cd4e7ad04544edda2023dd698132b65daf167a61e09de9fd8de66d8b52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16AA4 2108 bytes
font_06_sfnt_off00017479.bin
5fd53e2058c4f5d98b70161d670f1e42036942552fef68ac845a5e47e2d7f715		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17479 2604 bytes
font_07_sfnt_off00017f99.bin
87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17F99 4336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.