Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1daa9052985ae55…

MALICIOUS

PDF

67.6 KB Created: 2020-12-17 16:15:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9bd3dcca272921d0c43400047f957530 SHA-1: 416d0c8d70cc8b699aab9cd5f68ca2ad22b2102f SHA-256: c1daa9052985ae5537238eb65d399a7a50593937db356d4cb0415454c1f64f1a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to suspicious domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. The embedded URL and the heuristic PDF_SEO_LINK_FARM indicate the document's primary purpose is to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8239

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?utm_term=mathantics+algebra+worksheets
    • https://dusuwepi.weebly.com/uploads/1/3/4/5/134589125/2326218.pdf
    • https://dajexuxeguse.weebly.com/uploads/1/3/4/8/134859846/lotatituwupuv.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f10b1638-1579-48b7-9ba0-3158800fd4eb/gipuj.pdf
    • https://uploads.strikinglycdn.com/files/e5830cd2-ca37-45cf-b667-a91cdea55142/silica_gel_is_polar.pdf
    • https://uploads.strikinglycdn.com/files/87f419f1-c12d-4b31-b6bc-e1888f676664/daddy_sylvia_plath_analysis.pdf
    • https://uploads.strikinglycdn.com/files/feb2866e-5c1c-4633-9cae-c802912b0be0/68343293188.pdf
    • https://uploads.strikinglycdn.com/files/7aa64e96-be3f-4175-9b6a-94bcce406a95/kepox.pdf
    • https://uploads.strikinglycdn.com/files/ae07c2ee-1410-439b-8945-30d29d3288ab/agnus_dei_violin_sheet_music.pdf
    • https://s3.amazonaws.com/baxekojojexusol/gagujozu.pdf
    • https://uploads.strikinglycdn.com/files/470d1deb-67f8-4e49-80ee-0ea7a4474f15/8236291597.pdf
    • https://uploads.strikinglycdn.com/files/904bbb11-66bc-4685-b4fd-fce25ab41a01/derivative_worksheet_doc.pdf
    • https://s3.amazonaws.com/ragejufa/tutuvutuliporobaj.pdf
    • https://uploads.strikinglycdn.com/files/35101fba-38ab-4d19-ad8d-1d2f32b24784/tx500e_thermostat_manual.pdf
    • https://uploads.strikinglycdn.com/files/74262884-d642-4f27-9bbd-38fbbdc61cc7/3601444406.pdf
    • https://uploads.strikinglycdn.com/files/afe6f7dd-7f41-4afc-b353-f472f458272e/oregon_speeding_ticket_letter_of_explanation.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ece4.bin
6865f09653ef8d2c5357367fbaec6e324771670e0696d6c7642d002e6fc572c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECE4 5364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.