Malicious PDF — malware analysis report

Static analysis result for SHA-256 c05c9bfc2f9bdc48…

MALICIOUS

PDF

59.7 KB Created: 2021-03-22 23:36:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: a2ff6a4d561a8f078da88a56fb936574 SHA-1: 43e7396fb32717abddfe314c264f6dc9d2da88b4 SHA-256: c05c9bfc2f9bdc488a630a65c61dc3c3448f6a244b8d8e0627b85030e40ee0b5
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting it is part of a link farm or designed to host malicious content. One of the extracted URLs, https://ponafet.ru/strik?utm_term=maytag+appliance+repair+green+bay+wi, is presented in the document body and is likely a lure. ClamAV detection and ML classification also indicate maliciousness. While no scripts were explicitly extracted, the presence of numerous external links and the nature of the PDF_SEO_LINK_FARM heuristic suggest potential for JavaScript execution or redirection to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6421

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=maytag+appliance+repair+green+bay+wi PDF link annotation
    • https://cdn.sqhk.co/vavetiset/idKOifY/sobavesaxaxonurevaluve.pdfIn PDF document text
    • http://photoforce.ru/18001224271q9btk.pdfIn PDF document text
    • http://info-pages.ru/33906523093zna9.pdfIn PDF document text
    • http://adachivia.store/a_little_life_bookansnn.pdfIn PDF document text
    • https://cdn.sqhk.co/wofunukasu/haigRii/i_wish_you_were_here_meaning.pdfIn PDF document text
    • http://duvazejezirofid.22web.org/79109496261.pdfIn PDF document text
    • http://latencfsrt.space/apk_ipa_brawl_stars_private_server2unlh.pdfIn PDF document text
    • http://winoorama.website/10145739668dyng7.pdfIn PDF document text
    • https://cdn.sqhk.co/gedugari/jtTkTr8/c_v_t_full_form.pdfIn PDF document text
    • http://dafolilujoxupan.rf.gd/xivexux.pdfIn PDF document text
    • https://s3.amazonaws.com/baritexovopa/restaurant_flyer_template_word_free.pdfIn PDF document text
    • https://s3.amazonaws.com/leributafa/owners_manual_for_samsung_tv.pdfIn PDF document text
    • https://s3.amazonaws.com/palikuvexake/dell_poweredge_t30_datasheet.pdfIn PDF document text
    • https://6ec3981f-6443-463b-a164-91fc69f101d9.filesusr.com/ugd/7603ae_38652db9f1084cb2864d52337d9f5c2e.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/wujafivabipo/kokepotesuviw.pdfIn PDF document text
    • https://s3.amazonaws.com/nabifovu/zisapewuzitegefipib.pdfIn PDF document text
    • http://vivijar.epizy.com/what_is_green_revolution_in_the_philippines.pdfIn PDF document text
    • https://5d3a3edc-1384-4eb0-a354-174dd54c13aa.filesusr.com/ugd/7f5dc5_013649e802d44e948cc5e0bac9c677cc.pdf?index=trueIn PDF document text
    • http://rarobijeriv.rf.gd/cissp_exam_guide_shon_harris.pdfIn PDF document text
    • https://s3.amazonaws.com/remuv/absite_smackdown.pdfIn PDF document text
    • http://wujikefixazoni.epizy.com/26097468775.pdfIn PDF document text