Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb83cbd7e8535a76…

MALICIOUS

PDF

71.6 KB Created: 2021-03-20 22:13:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e8d1f6d9918820e46ccd8499e65d3e11 SHA-1: 8c402127442d0a19847169dcc50df2d341f2d9d7 SHA-256: bb83cbd7e8535a76b967205543e20094d7980ad4ba8ed07b627bd01f65dcd09f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many pointing to PDF files hosted on various domains, suggesting a link farm or SEO poisoning tactic. The primary URL, 'https://vilenefex.ru/aws?utm_term=seven+spiritual+laws+of+success+audio+free', is presented as a search result, aiming to trick users into visiting a malicious site. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8413

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/aws?utm_term=seven+spiritual+laws+of+success+audio+free
    • https://static.s123-cdn-static.com/uploads/4503584/normal_5fd0910a34881.pdf
    • https://cdn-cms.f-static.net/uploads/4460678/normal_60533e8ab3e77.pdf
    • https://static.s123-cdn-static.com/uploads/4454048/normal_5fee119a650f4.pdf
    • https://cdn-cms.f-static.net/uploads/4390081/normal_600b6289a4dba.pdf
    • https://cdn-cms.f-static.net/uploads/4470837/normal_601665901a94e.pdf
    • https://static.s123-cdn-static.com/uploads/4478950/normal_6005380eacf12.pdf
    • https://static.s123-cdn-static.com/uploads/4410222/normal_5ff9c2f35b10b.pdf
    • https://cdn-cms.f-static.net/uploads/4489725/normal_604ce9f34f94f.pdf
    • https://cdn-cms.f-static.net/uploads/4408588/normal_603d336a3315c.pdf
    • https://static.s123-cdn-static.com/uploads/4443815/normal_5ffa03e0bac2b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xuzed/derechos_humanos_definicion_oms.pdf
    • https://s3.amazonaws.com/bajuse/review_android_tv_box_x96.pdf
    • https://s3.amazonaws.com/furunumaroxun/html5_responsive_web_template_free.pdf
    • https://s3.amazonaws.com/garorowa/vopujow.pdf
    • https://fdb0147f-387d-4908-9c93-1ccdb5bf775f.filesusr.com/ugd/aea2e0_67edf71f2bd2495ca2dd200d8ea2ce5b.pdf?index=true
    • https://s3.amazonaws.com/divelatoxa/sefugosafewekogojetupo.pdf
    • https://f3ea461b-95fd-44cf-949c-5afda193840f.filesusr.com/ugd/a48928_ac56987ed9d14c0db26582c390d90ff8.pdf?index=true
    • https://s3.amazonaws.com/sugowubuf/organizational_behavior_case_study_answers.pdf
    • https://s3.amazonaws.com/tutasujal/retained_earnings_balance_sheet_item.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9c6.bin
5d0023d29cdd01b81516e1a23690673b801318797c3cf4d7c5b6ffebb6f528be		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9C6 5284 bytes
font_01_sfnt_off0000fbd7.bin
c081421455016e8f9f779ea273801ffafd2255b7c8eced74fb0f95d68f5bbb1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBD7 11228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.