Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6378d6eb8d9eae5…

MALICIOUS

PDF

70.5 KB Created: 2021-06-04 03:10:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ee168bf515d417b6bc588287a3a6092f SHA-1: 314167aa952302a10d16b510739e8f1235d23525 SHA-256: b6378d6eb8d9eae5a2da4f737bb9dc5def7a5906146e61542f32d4932a0cd3da
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection and an ML classifier. It contains a large number of external links, suggesting it is part of a link farm or phishing campaign. The embedded URLs point to various domains, some of which are marked as unknown or potentially malicious, indicating an attempt to redirect users to harmful content. No scripts were extracted, but the PDF structure and numerous external links strongly suggest a phishing or malware distribution vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8554

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/pbw?utm_term=alora+sealord+code
    • https://buwotudotep.weebly.com/uploads/1/3/1/6/131606539/fewetom.pdf
    • https://dedotomonifagax.weebly.com/uploads/1/3/1/6/131606429/xoxafirezur.pdf
    • https://ziwagugo.weebly.com/uploads/1/3/4/1/134131511/7278621.pdf
    • https://mobixunusam.weebly.com/uploads/1/3/4/8/134884540/rixetowe.pdf
    • https://muzunamarufo.weebly.com/uploads/1/3/4/4/134463020/xetorivazawog.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/88bfbf12-6419-450f-a3ef-54cb87a23019/integration_of_cos2x_sinx_dx.pdf
    • http://refarumiba.pbworks.com/f/24665614571.pdf
    • https://uploads.strikinglycdn.com/files/6b9eeb13-295b-429e-a0fe-a9a0e7346443/shimano_di2_groupset_rim_brake.pdf
    • http://pidexuxok.pbworks.com/f/48460094749.pdf
    • http://werinenimuta.pbworks.com/f/the_boss_baby_in_hindi_full_movie_download_filmywap.pdf
    • https://uploads.strikinglycdn.com/files/fdcd692d-420a-413b-a9b6-8f9de39869ad/what_is_the_stock_symbol_for_cbd_oil.pdf
    • http://dawijunegolo.pbworks.com/f/gazekalepakedozoxulolexa.pdf
    • https://uploads.strikinglycdn.com/files/babc9906-11d2-4d67-9f5e-636bf3d5ea0a/nofibakobijewavose.pdf
    • http://mapaduzipi.pbworks.com/f/littlest_pet_shop_hack_apk_download.pdf
    • https://uploads.strikinglycdn.com/files/e91bb4b9-6535-4af0-910f-a0d220378111/comptia_linux_guide_to_linux_certification_ch._3_review_questions.pdf
    • http://kufujibumufa.pbworks.com/f/how_old_is_samsung_galaxy_grand_prime.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e767.bin
26682cf91fa54f6dd0569f9ffd0ab750d52a215a9c87caef6d47e111caa51484		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE767 4476 bytes
font_01_sfnt_off0000f697.bin
92bce2aeec6ce5059b4ff77b60752a10a51e682d8c8214ccbeacee219876e0fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF697 10552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.