Malicious PDF — malware analysis report

Static analysis result for SHA-256 b22b24f2bbbcafa1…

MALICIOUS

PDF

84.5 KB Created: 2021-03-10 00:20:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ec96bc690a7c87861713070817500b7c SHA-1: d69f9276d97c5782d5d30ad8e94798e82ea94b23 SHA-256: b22b24f2bbbcafa1eee7e816bd77eb7e091dacbd7cd367fc00184e261076abad
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, flagged as a 'PDF_SEO_LINK_FARM', suggesting a tactic to manipulate search engine results or redirect users to malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the link farm heuristic point towards a phishing or content-luring attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9129

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=anemias+microcytic+pdf
    • https://static.s123-cdn-static.com/uploads/4416125/normal_5fdf5369d2b02.pdf
    • https://cdn-cms.f-static.net/uploads/4407733/normal_60173a5d93949.pdf
    • http://sovadarasuzepa.iblogger.org/18352412108.pdf
    • https://cdn-cms.f-static.net/uploads/4447252/normal_6028fe9b96feb.pdf
    • https://cdn-cms.f-static.net/uploads/4464877/normal_6040649c4beb0.pdf
    • https://static.s123-cdn-static.com/uploads/4383929/normal_5fefcc60ab05b.pdf
    • https://static.s123-cdn-static.com/uploads/4450440/normal_5fcbfbe28d564.pdf
    • https://cdn-cms.f-static.net/uploads/4376858/normal_5fe6deaf539d9.pdf
    • https://cdn-cms.f-static.net/uploads/4417645/normal_603b5f426f3bd.pdf
    • https://cdn-cms.f-static.net/uploads/4367622/normal_6027a75bc7de0.pdf
    • https://cdn-cms.f-static.net/uploads/4366654/normal_5fd5f50cb546b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nunitew.rf.gd/airway_management_devices.pdf
    • http://kagabefusexem.epizy.com/16282490392.pdf
    • https://s3.amazonaws.com/muwemivumazulax/jadotulunibug.pdf
    • https://s3.amazonaws.com/xukirizugukugi/18281137911.pdf
    • https://2489a575-72f7-492f-b117-28cfe4a4d2a3.filesusr.com/ugd/d81705_47d80ed71b0b4591ba3f56d5dbcdfdfe.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4a9a0899-333d-4568-8297-dfc8d1c6614b/xuzapa.pdf
    • http://maretazijedoval.epizy.com/84713927289.pdf
    • https://s3.amazonaws.com/woxewiwupir/plan_unico_de_cuentas_para_comerciantes_en_colombia.pdf
    • https://c1cb471f-fc5c-4ef2-b3e1-4d0d0d09d135.filesusr.com/ugd/cc5b41_f3f872777e5e441faa4d0543f4300bac.pdf?index=true
    • https://s3.amazonaws.com/legipalofi/july_2020_calendar_template_word.pdf
    • https://b1d4f555-1eac-4d61-aa83-27206cf3ee4b.filesusr.com/ugd/1706f5_757adf8d8f87437e87df5f55ed16f0f4.pdf?index=true
    • https://s3.amazonaws.com/numunenoji/30200861847.pdf
    • https://uploads.strikinglycdn.com/files/8cc6abc2-825c-4a0b-94a3-d69e3cf1521e/hp_deskjet_960c_series_software_downloads.pdf
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010918.bin
f515c05655827009aaed2d2b6cd406e5510ee66bf5f48382096a928b7a7654c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10918 5360 bytes
font_01_sfnt_off00011b45.bin
57790ce8e4021e8052136c1ec1f5e38cc4e960d1901e20373fcfff1fb1319c7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B45 10488 bytes
font_02_sfnt_off00013f68.bin
98bbda09e34957c2c47eea570891e411fa41ced272e9777bbef021ce7395b75a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F68 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.