Malicious PDF — malware analysis report

Static analysis result for SHA-256 a797bcf920ab5526…

MALICIOUS

PDF

118.7 KB Created: 2021-04-04 12:10:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 43223821b4d9d5dac17f1e9928dc1e08 SHA-1: be12fc2bf5ef2443585dc913c993f906e7b4ed36 SHA-256: a797bcf920ab55261fd0e4fb0834aee77fec98c28f0a46dd985e01c569ba2803
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to PDFs hosted on file-sharing services, suggesting a link farm or SEO poisoning tactic. The ClamAV detection and ML classifier indicate malicious intent, likely to distribute further malware or phishing content. Although no scripts were explicitly extracted, the PDF structure and numerous external links are indicative of a malicious document designed to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7501

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=seismic+design+of+structures+pdf
    • https://zejotagidegixop.weebly.com/uploads/1/3/4/5/134522105/158288.pdf
    • http://ontrade.top/metodologa_de_la_investigacin_sampieriobq92.pdf
    • https://besiwalufeg.weebly.com/uploads/1/3/2/6/132696214/8983176.pdf
    • https://gepumisi.weebly.com/uploads/1/3/4/5/134517510/sukimefejuwol.pdf
    • https://widosutolitidaf.weebly.com/uploads/1/3/4/8/134847614/e7b72.pdf
    • https://mopomavimixefor.weebly.com/uploads/1/3/1/1/131164117/timuxezudisuvu.pdf
    • http://cmbclientes.com/2016_ford_mustang_ecoboost_reviewsr1zqo.pdf
    • http://bathforlegs.xyz/30870279520w3lct.pdf
    • http://organize.shop/67313051560b4an6.pdf
    • http://tokio-2020.fun/wosomop93f81.pdf
    • http://lianhua.life/why_is_my_tv_light_flashing_red3akzm.pdf
    • http://bellissimo.online/91605080140vfs92.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/d27183aa-deb2-465b-a4d9-126acae2099b/tinepuzenugoxote.pdf
    • https://s3.amazonaws.com/wetowuzuxit/como_agua_para_chocolate_frases_fosforos.pdf
    • https://uploads.strikinglycdn.com/files/ac4df8da-75fa-4eaf-b060-342a69839f22/72207652848.pdf
    • https://78636f1b-f2d6-4e4a-b4e1-07eac4c165d1.filesusr.com/ugd/434c97_c7daedac947341bdb65ad1295bf23ed1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/05a959c8-4541-4457-a2c4-f266c77d458e/73750456980.pdf
    • https://s3.amazonaws.com/sixolose/zakoturisedoxaze.pdf
    • https://30372bae-fb3d-4285-bee0-d91e70c22047.filesusr.com/ugd/835091_a8931bdff31649e192fc2169f419204d.pdf?index=true
    • https://s3.amazonaws.com/zafijukopa/bardaasht_full_song.pdf
    • https://uploads.strikinglycdn.com/files/0b58c203-f0a7-4420-ab2b-35b58e29ff4e/who_is_the_best_salesman_of_all_time.pdf
    • https://s3.amazonaws.com/dudurat/weroxotalibiwopawex.pdf
    • https://332892e0-6a2b-40ad-946e-e7c92c61c867.filesusr.com/ugd/3e5d97_d3bd6a7900b348cf957cdeeec6843649.pdf?index=true
    • https://uploads.strikinglycdn.com/files/19432dd8-7780-419d-b447-544ad0129138/34165473676.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017a71.bin
d9423133ccd7756d3f9fb83dae84ec1346df78a67587f3a533042e32f719949c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17A71 7164 bytes
font_01_sfnt_off000192ce.bin
7297817991ab5f2024c45419fad933770093b0981af09801a01e1615886c4b8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x192CE 5216 bytes
font_02_sfnt_off0001a46d.bin
e99756a05b03133572871a11c5c3b4cadf2ff9bf4fd6b4e9451486f5e55f0bcb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A46D 11424 bytes
font_03_sfnt_off0001cad9.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CAD9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.