Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac83e898b92e9ea5…

MALICIOUS

PDF

74.6 KB Created: 2021-04-19 23:24:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 13f413e5e73aec9806ca4f713b1b627e SHA-1: 1ea853ae02ab0a0521b8e5faee3fc6e92c9dcbb3 SHA-256: ac83e898b92e9ea5e8685556d833ab654cad45707c9e06a0f63edb804eb67e03
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a large number of external links, many of which are hosted on disposable domains, suggesting a link farm or phishing attempt. One of the primary URLs, 'https://mezovuduw.ru/strik?utm_term=goat+simulator+play+free+online+no+download', appears to be a lure for users searching for free games, likely leading to a phishing or malware download site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9800

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=goat+simulator+play+free+online+no+download
    • https://cdn-cms.f-static.net/uploads/4387420/normal_604e300784bf5.pdf
    • http://davupopebuwiser.sportsontheweb.net/45732778508.pdf
    • https://cdn-cms.f-static.net/uploads/4489257/normal_6054ec605c6d2.pdf
    • https://cdn-cms.f-static.net/uploads/4469617/normal_601b449e3429b.pdf
    • http://kobopez.mygamesonline.org/smoking_and_spontaneous_abortion.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://69df74eb-9f83-488d-97bb-abb55063df61.filesusr.com/ugd/f34323_1877599d790941e69ff7962ef496f410.pdf?index=true
    • https://aca292c6-a3ee-4c96-b4c9-db15c8eca1b9.filesusr.com/ugd/cd1d52_96a963d0fb784d3da195369f8b087e75.pdf?index=true
    • https://s3.amazonaws.com/toniseligiwuzux/72150069508.pdf
    • https://18e99e0c-7034-4a8c-9069-267580a295b8.filesusr.com/ugd/b337f5_4c0bad6beb7b48a9b36c04553e226589.pdf?index=true
    • https://8aefc570-8454-48c3-bb63-d4d1067b7ce0.filesusr.com/ugd/5c9621_3150b3fc4c1740ea97eeff12875a0542.pdf?index=true
    • https://uploads.strikinglycdn.com/files/48fea0d3-14fa-4d97-97d9-880b3590038e/49985650520.pdf
    • https://d872ce2a-2baf-4032-ab86-ab75b2f66d52.filesusr.com/ugd/338562_2b990525401c4bf4bd11e818cd4ce833.pdf?index=true
    • https://uploads.strikinglycdn.com/files/948575f8-d86d-4c10-81e9-fd827e8cfa68/57373130624.pdf
    • https://1fc3e790-19e1-43b7-bae7-d09a953f51fe.filesusr.com/ugd/2c608b_e8fc243a54144083b9ce0a5a4e663c5e.pdf?index=true
    • https://18e99e0c-7034-4a8c-9069-267580a295b8.filesusr.com/ugd/b337f5_3c3c67d5df924300a91b0b57c3b2be98.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7e2188b4-0664-467c-af20-80db4123ee38/content_writer_income.pdf
    • https://s3.amazonaws.com/sobaketemu/relative_clauses_exercises_multiple_choice_with_answers.pdf
    • https://1e8c0764-4a0f-46ab-84a2-5f63a8a44928.filesusr.com/ugd/6a0acf_2e4d7ce3fb4348c79cbdba7823df23f4.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010c15.bin
2af363f1626b4d83c55519da82684fc25c8eff9c37c6f16f9efa5f9d5680ecf2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C15 5412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.