Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc418c8680e9c937…

MALICIOUS

PDF

69.2 KB Created: 2021-06-11 18:51:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: ac06696dc18459f8c8f08f87019b522a SHA-1: d627cee00a8e830d764d7ae2d2dde845784caa2e SHA-256: cc418c8680e9c93747bf5be81808b33b1e26bc2946e39813c0b11c8627f5bcb7
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a URL that promises a "temple run 2 money hack". This, combined with the ML classifier and ClamAV detection, strongly suggests a phishing or malware distribution attempt. No scripts were extracted, but the presence of the malicious URL is the primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9920

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/pbw?utm_term=temple+run+2+money+hack PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4481834/normal_6045ffc899828.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446390/normal_6051429463cd1.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/99fc1cfd-a226-4078-a7d9-aed2f93c63b9/95042597140.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/62322eac-f5d9-4e6b-be26-e6f59145f8bb/how_long_does_it_take_to_charge_the_mophie_powerstation_xxl.pdfIn PDF document text
    • http://refarumiba.pbworks.com/w/file/fetch/144582297/what_is_samr_model_of_technology.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1dd559d4-0500-44e8-8df9-2abc0224383f/ver_el_mundo_de_sofia_pelicula_completa_en_espaol_latino_gratis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/46c91a20-c820-46d2-9538-1bd55d386c0c/25738702296.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c7b7328d-a80e-49b8-a2c4-e682bb4f74f1/are_sat_subject_tests_the_same_as_ap_tests.pdfIn PDF document text
    • http://xoxafepapesu.pbworks.com/w/file/fetch/144424116/plantilla_libro_diario_para_imprimir.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bcc00b33-519f-4821-b86b-a78b4feffd29/17247086207.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f1e2e88a-2979-4c9b-85b0-7b07d25462bb/1086583429.pdfIn PDF document text
    • http://dejimebez.pbworks.com/w/file/fetch/144776232/49476878383.pdfIn PDF document text
    • http://nukisefel.pbworks.com/f/passport_size_photo_psd.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dc9582b9-42ff-44bb-a80c-f94f639a9556/rekegaji.pdfIn PDF document text
    • http://noxiwako.pbworks.com/f/culturally_responsive_teaching_and_the_brain_chapter_summaries.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f8053d5-fa25-4592-b204-9031a1118deb/honda_gcv160_pressure_washer_carburetor_adjustment.pdfIn PDF document text
    • http://tevimunon.pbworks.com/w/file/fetch/144796611/fekowumefifumaloti.pdfIn PDF document text
    • http://favixose.pbworks.com/w/file/fetch/144942048/37831968221.pdfIn PDF document text
    • http://poxanoralanu.pbworks.com/f/punchline_algebra_book_b_answer_key_quadratic_equations_and_functions.pdfIn PDF document text
    • http://vimadutukad.pbworks.com/w/file/fetch/144907797/kamus_bahasa_arab_amiyah_mesir.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/18a1554c-b151-4b89-8068-b8259284a368/turning_the_hiram_key_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/340d5055-af6a-41a1-a622-ebb5a10f8090/79790541823.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ece0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xECE0 5244 bytes
SHA-256: d2199f60fb7726b51d26f5ef0dff7db5a6c7b22e8e7f55c80a6202c11f8ba1a9