Malicious PDF — malware analysis report

Static analysis result for SHA-256 cac4357edf87057c…

MALICIOUS

PDF

79.1 KB Created: 2021-03-17 18:47:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0f082b1e849473708c7d91c9ab90c801 SHA-1: b7f2087054f6f513f506752053333f4af98c4675 SHA-256: cac4357edf87057c1a3eebf14b7b517af52ea13aa3dcfa8dace2da09bccc5190
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, characteristic of a link farm designed to boost search engine rankings for specific keywords. The primary URL, 'https://xajibur.ru/award?keyword=calendario+mondiali+di+calcio+2020+pdf+download', suggests a phishing or scam attempt by masquerading as a download for a sports-related document. The presence of multiple PDF links, some pointing to potentially benign files and others to unknown sources, indicates a distribution mechanism for further malicious content. The ML classifier and ClamAV detection further support its malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7474

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/award?keyword=calendario+mondiali+di+calcio+2020+pdf+download
    • https://cdn-cms.f-static.net/uploads/4493579/normal_601b7ae8cb186.pdf
    • https://cdn-cms.f-static.net/uploads/4372355/normal_602df3d47db6b.pdf
    • https://cdn-cms.f-static.net/uploads/4465691/normal_6010aa6180230.pdf
    • https://cdn-cms.f-static.net/uploads/4485929/normal_6026c07fa3356.pdf
    • https://cdn-cms.f-static.net/uploads/4421048/normal_6033febf9150c.pdf
    • https://cdn-cms.f-static.net/uploads/4412775/normal_600ea3fb0e3af.pdf
    • https://cdn-cms.f-static.net/uploads/4443804/normal_6049bd6fb9423.pdf
    • https://static.s123-cdn-static.com/uploads/4375522/normal_5fc604c978e03.pdf
    • https://cdn-cms.f-static.net/uploads/4384634/normal_603a695f3df0e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/gotenukevepunin/wobutalepuwisomesipag.pdf
    • https://9907981b-0bc7-4fd3-a434-169f7cdadf42.filesusr.com/ugd/575363_f9e061698a2749d8bd4433915639cd72.pdf?index=true
    • https://45b0b119-5f8c-43e7-b437-4e12d17c1c81.filesusr.com/ugd/3826db_eb68fc1ddfb5435ebd23163b580cda0a.pdf?index=true
    • https://s3.amazonaws.com/xeropizuwe/14331573240.pdf
    • https://d427386d-3434-45d9-8802-370857a594f4.filesusr.com/ugd/accd1f_0125d8ddcf0d414dbde3f2642a493afd.pdf?index=true
    • https://33c7e2ec-32fc-4676-a642-9d95a4379e01.filesusr.com/ugd/622218_892d0e2026a94f38828d3d6cf257204c.pdf?index=true
    • https://f6ea5e03-7e7c-4dce-82ee-fd5d223759ef.filesusr.com/ugd/d203ad_bbe9b6b8881b44f18ebcc04af147c24a.pdf?index=true
    • https://a4346b84-4611-49ab-b113-80c9188ca613.filesusr.com/ugd/078c79_00d49889a660458e98a6429f9f6fa76e.pdf?index=true
    • https://s3.amazonaws.com/rebomedug/kyocera_fs_1120_mfp_manual.pdf
    • https://s3.amazonaws.com/wazotojemov/zosexinofijoxesima.pdf
    • https://8d2868a3-57b7-484c-81f6-493c1c4f5daa.filesusr.com/ugd/a8ca0f_5f646a12f3444392870d788d98db914e.pdf?index=true
    • https://s3.amazonaws.com/sedowedi/44986637729.pdf
    • https://s3.amazonaws.com/fekaduvopigab/jadixibotibamubunipit.pdf
    • https://c09438b0-f1cf-4ade-afa2-d322e048c450.filesusr.com/ugd/313cc6_81553b0fa5824b44be2278139f3240c6.pdf?index=true
    • https://s3.amazonaws.com/voropa/91490738906.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb55.bin
51c6b05f81b560ae58fbf9c20eacaf360e6f7a32990c026a8ad4c5eec614863b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB55 5396 bytes
font_01_sfnt_off00010d9d.bin
a97344d62c7c74388cd0a91d7641a031c9883599c1349837cefe784a6c4d0693		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D9D 4284 bytes
font_02_sfnt_off00011924.bin
ee83bf5bec3a98d4a814cb3c1a2803197df53cde81d054cbb11447bb2b870025		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11924 11572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.