Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa4ecc9350f058bd…

MALICIOUS

PDF

81.6 KB Created: 2021-03-23 19:22:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: 11adbb0b88f80a64036c1b3b72546ee7 SHA-1: 1581403aa9f4d1a4d5de88c436ba51c00564d4c0 SHA-256: aa4ecc9350f058bd9e0012dbfeeb65ce1af297f1856db41800387f4f87481868
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, characteristic of a link farm designed to improve search engine rankings for specific keywords like 'canzoniere chitarra pdf download gratis'. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external PDF links, suggesting a phishing or malware distribution scheme. ClamAV detection as 'Pdf.Phishing.Trojan' further supports the malicious nature of the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6167

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=canzoniere+chitarra+pdf+download+gratis PDF link annotation
    • https://cdn.sqhk.co/bodegife/ljbchbQ/gobalizifu.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4423429/normal_5fd065407722b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4369930/normal_60084420e9bf5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476751/normal_6033a64fb5aeb.pdfIn PDF document text
    • https://cdn.sqhk.co/fijajiles/jcxjajb/hockey_mvp_winners.pdfIn PDF document text
    • https://cdn.sqhk.co/sufipuxifemo/oBibWha/exit_the_maze_3d_labyrinth_labirin_run_games.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4365584/normal_5fee339bd4c97.pdfIn PDF document text
    • https://zurukuwimuso.weebly.com/uploads/1/3/4/3/134325804/5329dee8630.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4443610/normal_5ff6b63eab3a2.pdfIn PDF document text
    • https://pabalosuto.weebly.com/uploads/1/3/0/8/130813917/fafukabonaxusomupi.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4451927/normal_5ff52305b290b.pdfIn PDF document text
    • https://zozelezike.weebly.com/uploads/1/3/4/4/134434207/lowipukosapim.pdfIn PDF document text
    • http://pogumuwoma.iblogger.org/dodolutalove.pdfIn PDF document text
    • https://cdn.sqhk.co/nufomewo/gdiewje/wrought_iron_garden_stuff_minecraft.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4391954/normal_6010993e2cbb6.pdfIn PDF document text
    • http://manoligixave.66ghz.com/60715062686.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4453338/normal_5fff08544158f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413244/normal_6036c030c2f6c.pdfIn PDF document text
    • https://cdn.sqhk.co/joxezexukub/Cjbichc/zedufuxolemujiwu.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4409122/normal_5ffdbe0e34d98.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://wiwafejopof.epizy.com/disentri_amoebiasis.pdfIn PDF document text
    • http://jupefavasareje.rf.gd/adobe_illustrator_cc_2020_tutorials_free_download.pdfIn PDF document text
    • http://teraropabu.epizy.com/properties_of_austenite_ferrite_pearlite_martensite.pdfIn PDF document text
    • http://bomowufawifebi.rf.gd/clinical_pharmacology_and_therapeutics_lecture_notes.pdfIn PDF document text
    • http://vimetogobosibim.rf.gd/whirlpool_edr2rxd1_refrigerator_water_filter_filter2_3-pack.pdfIn PDF document text
    • http://bamafeze.rf.gd/instalacion_de_paneles_solares_termicos.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e789.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE789 5372 bytes
SHA-256: 6915a70d0ad053c5eaf5041f6edff5ae2de4827ebd90e653d96a1e7136640a02
font_01_sfnt_off0000f9e9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF9E9 11744 bytes
SHA-256: 8d567bae3754fef697258c8861d9264447f3dcbe36f0fbe7b820d1dda498b743
font_02_sfnt_off000120a8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x120A8 16484 bytes
SHA-256: 114dd0ab57dac5ced6b3e70ba4dce55c2fc047b4e68243af182c5c5a5dbc8541
font_03_sfnt_off000136f8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x136F8 4324 bytes
SHA-256: 05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176

Open this report in the interactive analyzer, or submit your own file for analysis.