Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab19539ef77b21e0…

MALICIOUS

PDF

64.0 KB Created: 2021-05-14 06:44:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ea645355ec272df25383b613d145662b SHA-1: e2a59d565dc2876c651135a2b56774d51d5250ae SHA-256: ab19539ef77b21e06c1d1cec2552f88b896bb0db327c9c0e6e50811ae4f1123d
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, and contains multiple embedded URLs. One prominent URL, 'https://mezovuduw.ru/strik?utm_term=toyota+techstream+activation+code', suggests a phishing attempt related to software activation. The PDF also exhibits characteristics of a link farm on disposable hosting, further indicating malicious intent. No scripts were extracted, but the overall structure and embedded URLs point towards a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8781

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=toyota+techstream+activation+code
    • https://cdn-cms.f-static.net/uploads/4424991/normal_5fd63be5cead4.pdf
    • https://static.s123-cdn-static.com/uploads/4468550/normal_5fddd0f5e1a62.pdf
    • https://cdn.sqhk.co/dagozuwemep/jaGBChb/earthquake_utah_magna.pdf
    • https://cdn.sqhk.co/bitaxukezor/jjKsFgi/nibadozobuda.pdf
    • https://static.s123-cdn-static.com/uploads/4388407/normal_5ffaa23fef5cb.pdf
    • https://cdn.sqhk.co/bisegepamitu/VgcLgcl/hockey_keeper_tips.pdf
    • https://cdn.sqhk.co/kazakilen/jaUagdt/meme_soundboard_pro_2019_download.pdf
    • https://cdn.sqhk.co/nilamemiw/fjfBhhy/square_enix_software_token_not_working.pdf
    • https://static.s123-cdn-static.com/uploads/4473035/normal_5ff64db7a1fbb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/perurulexi/lejinifesiratovogar.pdf
    • https://s3.amazonaws.com/gazivemon/sonijojufopuwapewivo.pdf
    • https://s3.amazonaws.com/memexelu/imb_annual_report_nottingham.pdf
    • https://86042ffc-9b62-460b-8552-fb2522205a17.filesusr.com/ugd/4f92c1_dc8a45380b124770bac394d9e5c419dc.pdf?index=true
    • https://cc652f91-b1ab-470c-b36f-46d838ef85b2.filesusr.com/ugd/fbccce_44a45992c31c407f811961d9ea5c05ff.pdf?index=true
    • https://6131fb9f-3080-406c-a6ab-c4686b6a2f6f.filesusr.com/ugd/52be6f_b8d5b19792624d0597fbb92fabab6fcc.pdf?index=true
    • https://eac5c218-d238-408c-98a6-8ff0ecbb25fc.filesusr.com/ugd/b1277d_60fc4b872d274da489cae15eb0a834ee.pdf?index=true
    • https://a3c35cc3-4a3f-4d41-ab51-8b3e4b114d30.filesusr.com/ugd/2b25b5_89eb4904b1914151a8b1deed1da9cc79.pdf?index=true
    • https://s3.amazonaws.com/tirimofufemukat/bodyguard_movie_songs_free_320kbps.pdf
    • https://ffb80149-315c-4936-8637-e87477b606fc.filesusr.com/ugd/e7410d_e67d3f4311cb4981b68acb595f89f77f.pdf?index=true
    • https://010f2e21-25ca-4560-806d-08cbbb7c7db1.filesusr.com/ugd/74a852_43ca044269184b56bcdaa56f876ab985.pdf?index=true
    • https://6d4cd3b7-91e9-43ac-92b9-205473f1e50d.filesusr.com/ugd/28146e_aeaa4922b84447a3b21d1063f147191b.pdf?index=true
    • https://9db8f275-5044-409a-aa1b-3306d9dda9bd.filesusr.com/ugd/361f4b_e5f3bbd29aa54b5286d477f744ea41a0.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eee9.bin
8aaf62856d0a2dbd552ac823c79c21553c5f9888ecc18066fd820887519e0c34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEEE9 5256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.