Malicious PDF — malware analysis report

Static analysis result for SHA-256 b08a8f0e41999af5…

MALICIOUS

PDF

68.4 KB Created: 2021-03-16 12:48:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9ed05e37f56dc6f846d9d1f506b8781c SHA-1: 61adbab5bd2e92107592991f45d2706eeabc1f22 SHA-256: b08a8f0e41999af5d3f17d2899456967a34a529b08fe66cb1645706d5eb3587d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing or link farm attack. It contains a large number of external links, with one prominent URL being https://baarspo.ru/strik?utm_term=japanese+food+recipe+pdf. While no scripts were explicitly extracted, the PDF structure and heuristic firings suggest it's designed to redirect users to potentially harmful content or facilitate SEO manipulation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8570

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=japanese+food+recipe+pdf
    • https://cdn-cms.f-static.net/uploads/4500904/normal_60469dafb0f17.pdf
    • http://feldhaus-klinker-plitka.ru/70403894698ir6rh.pdf
    • http://metazoaapc.fun/apa_latex_templatezi831.pdf
    • https://cdn-cms.f-static.net/uploads/4464710/normal_601bae330fc06.pdf
    • https://cdn.sqhk.co/verexoleki/pjdtdjj/vertigo_movie_online_free.pdf
    • https://cdn-cms.f-static.net/uploads/4485016/normal_60145c9ab29b5.pdf
    • https://gamajebijapam.weebly.com/uploads/1/3/1/8/131856653/d1c27e4.pdf
    • http://widuzuduzudovix.iblogger.org/roosevelt_inlet_lewes_de_fishing_report.pdf
    • http://priz24.site/wixusapikite47zvx.pdf
    • https://cdn.sqhk.co/zevolazezag/V3tVlvg/like_booster_for_tiktok.pdf
    • https://dobumixil.weebly.com/uploads/1/3/0/7/130738680/50323.pdf
    • https://cdn-cms.f-static.net/uploads/4475389/normal_603072367bacd.pdf
    • https://cdn-cms.f-static.net/uploads/4375340/normal_601e62af8e6ef.pdf
    • http://forsage.pw/how_to_install_k_cup_reusable_filteru1vul.pdf
    • https://cdn.sqhk.co/nixafusoda/d9gdrdo/87502338370.pdf
    • http://martakkord.ru/tijawinesovufoxuruzatote1ruey.pdf
    • https://bageribo.weebly.com/uploads/1/3/4/5/134592059/jefarebiji-zelijesexodax-kikumemanuded-fisefajataziw.pdf
    • http://geniusenglish.space/real_drum_games_pcc5g6s.pdf
    • http://argo-tourism.com/zaximefozu6rzm.pdf
    • http://kartaidatodemeleri.com/how_to_disable_hands_free_modetl682.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vanazabeso.epizy.com/togutodaxeredinenelat.pdf
    • http://nisebot.epizy.com/knee_strengthening_exercises_nhs.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e137.bin
10f6edb8abde11486297f2a8fe471291c9a1826a771c41a6b39ade439f57f996		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE137 5104 bytes
font_01_sfnt_off0000f2a8.bin
d52502e298c6abdeb2ca909038b18525b41a29383c7d94a795e18cf11b3135bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2A8 10944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.