Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac51ebb1298690a9…

MALICIOUS

PDF

73.4 KB Created: 2021-03-24 10:15:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0bbf74391a943c8cde77874cbddf8929 SHA-1: 752eed45853c859aa5d8101ca65a7bdaa5844424 SHA-256: ac51ebb1298690a98b535451e7d05b626a495b05c6976008eee2b478e9ab1567
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, suggesting it's part of a link farm designed to drive traffic to potentially malicious websites. The primary URL points to a resource that appears to be a search result for a book, likely a lure to entice users to click through.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9162

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=estadistica+para+negocios+y+economia+anderson+12+edicion+pdf+solucionario
    • https://cdn.sqhk.co/lebapivi/dXt8BJJ/assistant_manager_salary_walmart_california.pdf
    • https://cdn.sqhk.co/tawibonikigo/FgjNWgd/70097151738.pdf
    • https://safalijig.weebly.com/uploads/1/3/1/0/131070993/koverakurenov.pdf
    • https://fulipevaxavu.weebly.com/uploads/1/3/2/6/132695351/2568819.pdf
    • https://cdn.sqhk.co/mugetawelumi/vha2cea/89851164687.pdf
    • https://cdn.sqhk.co/podadoxafa/ysjihgZ/bernie_sanders_2020_platform.pdf
    • https://cdn.sqhk.co/foxinukepo/jhijcji/moberepedigo.pdf
    • https://fiwobezamarevev.weebly.com/uploads/1/3/2/7/132740324/12ac0.pdf
    • https://pobanuti.weebly.com/uploads/1/3/1/4/131437932/1736546.pdf
    • https://cdn.sqhk.co/lobinazema/igjbjen/wejedekesuderuvunufinuji.pdf
    • https://dutegonuguval.weebly.com/uploads/1/3/4/3/134310875/b436bc76.pdf
    • https://rititebavoxufi.weebly.com/uploads/1/3/4/7/134705535/dagab-mogedatejid-gexuf-wiketakenizewu.pdf
    • https://cdn.sqhk.co/depadukat/cfXidib/puppy_dog_images_hd_wallpaper.pdf
    • https://sutivekawexebe.weebly.com/uploads/1/3/1/6/131636655/kunon.pdf
    • https://cdn.sqhk.co/damapegapi/QWeCgcl/14169954202.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ed21222e-fee3-4fab-8b52-e2ddb7bb35ab.filesusr.com/ugd/e73fea_c23692c4a9ff4bfb8caa21fa0a84f71c.pdf?index=true
    • https://fecd0c08-032d-4b8b-b26c-6108aca7a00f.filesusr.com/ugd/a87c8b_f4aa2687eab34dadb3968a6b5a4c908a.pdf?index=true
    • https://s3.amazonaws.com/kumasala/52913862982.pdf
    • https://e4fb9bf1-a3d6-4767-9bf2-2a1021e5dc09.filesusr.com/ugd/53cfc7_5995c16269da495ead7c60f22f0cd9e3.pdf?index=true
    • https://50b7e5d6-ab0e-41ff-bbcb-47d024e5c277.filesusr.com/ugd/45d8ab_2bb5a11f90b741c18cc5ca1d703842c2.pdf?index=true
    • https://s3.amazonaws.com/xiwevitox/33605370332.pdf
    • https://s3.amazonaws.com/xotomisen/professional_azure_sql_database_administration.pdf
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d466.bin
2cd5f4cbcd2e76e24bd4aaf959f24ab3f8f9b71e5380c84d7745c77c78e597f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD466 5716 bytes
font_01_sfnt_off0000e7e1.bin
e762f8512fd9559a8d6c0114cb54b20ec0b756848fe7e5a033f55d61bc4f854e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7E1 11120 bytes
font_02_sfnt_off00010cf5.bin
a95eff378c135b1ab40d10b3cd1da1bafbc07f86005f57898d079c90d712ddbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CF5 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.