Malicious PDF — malware analysis report

Static analysis result for SHA-256 b735497187d846b0…

MALICIOUS

PDF

71.4 KB Created: 2021-05-29 18:15:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 8e6354a8aae7f00ff35e6a8222de8d70 SHA-1: de06e62f4864b2c944377ea8d3a9e1ff6c2025ea SHA-256: b735497187d846b08f8379d0a1da83d7ae510d9d05c5385849af9c10ca790dd4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to other PDF documents, suggesting a link farm designed for SEO manipulation or to host malicious content. One prominent URL, 'https://maypoin.ru/strik?utm_term=super+mario+bros+3+apk+download', is presented as a download for a game, likely a lure. The ClamAV detection and ML classifier further indicate malicious intent, likely phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7004

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/strik?utm_term=super+mario+bros+3+apk+download PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4410441/normal_5fd3718494d2e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4481828/normal_5ffb589d53f9a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4417119/normal_5fcba2de593b7.pdfIn PDF document text
    • https://pedomolakikivo.weebly.com/uploads/1/3/4/4/134440841/1356267.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4480880/normal_60404554a69b5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481993/normal_6019f0bf77d40.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4445125/normal_5fe87b13b5295.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4443356/normal_5ff982613b484.pdfIn PDF document text
    • https://pizojiri.weebly.com/uploads/1/3/4/6/134651663/begeparu.pdfIn PDF document text
    • https://gewedawinun.weebly.com/uploads/1/3/4/7/134745389/6a2722bc3.pdfIn PDF document text
    • https://lerorenoj.weebly.com/uploads/1/3/5/3/135390996/daduwebegarubusitav.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4472506/normal_5fe49f3885d9d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4452850/normal_600dc77a55e9e.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/803ed916-9b53-447a-9f6c-d2c4bcef5248/el_diario_de_greg_2_resumen_libro.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b9f355c4-956e-4dba-91ee-84c9a142f8d7/why_is_my_acer_nitro_5_not_charging.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8201bbaf-d048-4e74-9a6b-c1d8a09050eb/what_does_data_warehousing_allow_organizations_to_achieve_day_to_day.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b8eb4b4c-758a-42ac-b6ee-2a6a8e904a4f/what_are_the_elements_of_security_plans.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/45d6ca2a-2ec9-47dc-b15b-da8870f1a194/babatofowalaporevis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/524e72a1-4790-4cdb-9ee1-86089836b361/gone_the_complete_series_michael_grant.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f7ded170-94a1-4425-ba5e-7d8d09022816/canon_powershot_sx710_hs_superzoom_compact_camera.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01f8925d-bff6-4cea-acc9-e3f85a4c73ac/biwoboxa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/25a28bf9-832a-4af8-8b61-0c624c84ce8c/secret_ya_latif_pour_largent.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f01297a7-be43-4520-92a0-32eb184cc6b3/what_is_sacred_geometry_used_for.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/861a386f-4d06-4308-879e-4ded19083108/craftsman_7.25_lawn_mower.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f458.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF458 5668 bytes
SHA-256: 99a74dadebf39709dcb400b98390d475175f0351ff088d2456778900e97368b9