PDF malware analysis — malicious · c167c956bb8e5e89

MALICIOUS

PDF

68.4 KB Created: 2021-04-03 13:13:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6ebd73db9eb028dd757c33f27aaf35a0 SHA-1: 5c22b619550bf97be0f57ec62617fe757f7d2964 SHA-256: c167c956bb8e5e89facb198c7c79a112bc8016821678386b9109a99708ab866d

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to potentially malicious domains, indicating a link farm or phishing attempt. The heuristic PDF_SEO_LINK_FARM and ML_NYX_PDF_MALICIOUS firings strongly suggest malicious intent. The embedded URL and the overall structure point towards a phishing or malware distribution campaign disguised as job search results.

Machine Learning

Nyx PDF Classifier malicious score 0.8381

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://resalured.ru/strik?utm_term=cdl+b+hazmat+jobs+nyc
- http://pegejoruvufiron.sportsontheweb.net/2006_honda_civic_ex_coupe_third_brake_light_replacement.pdf
- http://xejopegig.mypressonline.com/24525050910.pdf
- http://tuzojexis.mypressonline.com/accountant_cv_format.pdf
- http://polypak.site/33929951859dlzlv.pdf
- http://blockingscenery.com/vavesna08h.pdf
- http://tekplafond.xyz/how_to_teach_time_management_skillso8abj.pdf
- http://strahauto.website/oxford_dictionary_with_translator_mod_apkfpquv.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/baxekojojexusol/78591872321.pdf
- https://uploads.strikinglycdn.com/files/29786c9c-aecf-455a-b78e-f23884d330a9/fitabifikajiworixe.pdf
- https://d7179dab-c972-4501-9f4a-16044ca71e84.filesusr.com/ugd/434f74_ecab1f5db2774b37adc64d01434b3e6c.pdf?index=true
- https://uploads.strikinglycdn.com/files/c6fcfddb-cc4e-4a59-94db-92bc2f3888a0/interactions_2_listening_and_speaking.pdf
- https://7ffe38df-ef78-47a1-8632-a9c579db478a.filesusr.com/ugd/8ff694_8e0d4c5a7c7443ef9330508659b8c88d.pdf?index=true
- https://ecfc1f44-6648-4072-bff5-6ee4adcfbe4f.filesusr.com/ugd/e5a943_948197c9789c4bb093a26e81d3c3cf3c.pdf?index=true
- https://s3.amazonaws.com/mesixadelomomo/52751175544.pdf
- https://033a7475-7ccb-45c1-8f1e-38fd320d48d0.filesusr.com/ugd/03a576_238e0cbd598a413295c5f59190c9779c.pdf?index=true
- https://s3.amazonaws.com/bejexe/anatomy_of_hell_movie_parents_guide.pdf
- https://7f3dc8b3-869c-44c5-82eb-14ae88d57796.filesusr.com/ugd/dc4ca1_429be1f16234438fb075e128fe445b1a.pdf?index=true
- https://4b67404f-136a-46a0-9cf3-151f2d38faab.filesusr.com/ugd/241fd5_4bb3579b039e45d99a69e1ebdc34f1de.pdf?index=true
- https://a3cd4400-5fdc-4e6a-bda8-88556a2d4d1f.filesusr.com/ugd/2f7489_b8a3bed2ce9349188786eedc9cdc3e46.pdf?index=true
- https://s3.amazonaws.com/luborinizu/gevemunaligev.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e5c9.bin` `3b6b3f4c69b0eec3ef98831e6771e0bd3bc42fe54a9091ef40441427a767301c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE5C9	5356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.