Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2aca4c94e1a5f26…

MALICIOUS

PDF

80.4 KB Created: 2021-03-20 18:44:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b7c0cb86e211d4bada9795b4b45f7803 SHA-1: 3768cee0dbc0eabd453402864afd29d8f22dc6d7 SHA-256: b2aca4c94e1a5f26949695d517c4cc4da6d06133ab904f63b203d201b7fa80b9
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as a malicious PDF by multiple heuristics and a machine learning classifier. It contains numerous embedded URLs, with one pointing to a link farm hosted on disposable domains. The PDF's content, though heavily obfuscated, appears to be a lure related to academic subjects, suggesting a phishing or SEO poisoning attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9054

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=cbse+class+12+economics+syllabus+2020+20+pdf
    • https://static.s123-cdn-static.com/uploads/4470985/normal_5ff920849975f.pdf
    • http://wivuperafuzo.mypressonline.com/favuwakaxageveb.pdf
    • https://cdn.sqhk.co/wifukatar/ihWKiaj/practice_spelling_words_for_2nd_grade.pdf
    • https://cdn.sqhk.co/mekerijiwuv/b0ifjgn/43590601248.pdf
    • https://cdn.sqhk.co/labifikup/dZYjjmR/black_high_heels_designer_shoes.pdf
    • http://lenuvivureropi.scienceontheweb.net/what_universal_remote_works_with_channel_master_dvr.pdf
    • http://xasedogamif.mypressonline.com/ninth_world_bestiary_2.pdf
    • http://bitoxifa.sportsontheweb.net/bevugeferune.pdf
    • http://gaxesujite.medianewsonline.com/jeluxubinidifenur.pdf
    • https://cdn-cms.f-static.net/uploads/4450260/normal_60337d83f0dbb.pdf
    • http://rarubife.mygamesonline.org/guitar_learning_book_free_download.pdf
    • https://cdn.sqhk.co/pomorezolo/diiQ7ih/rudekazodin.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/a9f250f1-b83e-4758-802b-e4334e716b44/61379852732.pdf
    • https://uploads.strikinglycdn.com/files/da5bc378-4136-42a7-bc5c-b584349d0538/adele_someone_like_you_piano_sheet_music_free.pdf
    • http://ditajizuru.rf.gd/chess_apk_for_pc_free.pdf
    • https://uploads.strikinglycdn.com/files/44618e2c-7388-4a36-b3a8-a76103ec6746/45280501713.pdf
    • http://mimosomudex.rf.gd/48908797415.pdf
    • https://uploads.strikinglycdn.com/files/fc19fb1e-3663-450a-aa73-13d2e69206d9/laboratory_manual_for_introductory_chemistry_concepts_and_critical_thinking_7th_edition.pdf
    • http://fimaxopazeviv.rf.gd/nujuseri.pdf
    • http://nekejikuxomufi.epizy.com/kenmore_front_loader_washer_leaking_from_bottom.pdf
    • https://uploads.strikinglycdn.com/files/da8108e5-8e34-47a7-b254-3cab62baf67e/thermador_range_parts_near_me.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f972.bin
bc8080375f931e5b82144c2c0bb2d8663f4eb6865f5526a22ade4fc3c9eda8de		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF972 5596 bytes
font_01_sfnt_off00010c64.bin
524115d97d3c0741f7cab256f44b4bf9529d40ece9955fb5151e1af6021b0ba2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C64 11000 bytes
font_02_sfnt_off000131ea.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x131EA 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.