Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0c3f7d738105046…

MALICIOUS

PDF

107.8 KB Created: 2021-03-21 02:47:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f918f8b3ec2cd610c36237078a4067d SHA-1: 56293669e929c260f17026ba2bb7ccba40788c0f SHA-256: d0c3f7d73810504620873454197b0eb529d4ff865f0ee1e4eea4785d367da71e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to potentially malicious domains, suggesting a link farm or phishing attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded URL and the document body's deceptive content reinforce the phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8597

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFException. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/award?keyword=second+line+tb+drugs+pdf
    • http://xegazinijitup.mywebcommunity.org/76528858574.pdf
    • https://bapumora.weebly.com/uploads/1/3/2/7/132740837/mabudete_pepegewidazivux_midel.pdf
    • http://takaweri.mywebcommunity.org/71899305643.pdf
    • http://rezisekuvaz.mypressonline.com/nezexuneradixigepojide.pdf
    • https://difanewoxapazu.weebly.com/uploads/1/3/5/3/135321324/4299260.pdf
    • https://vutepunuvo.weebly.com/uploads/1/3/1/6/131637517/xorojolena.pdf
    • http://levotavo.scienceontheweb.net/12013349309.pdf
    • https://palisuxil.weebly.com/uploads/1/3/1/0/131071308/451de.pdf
    • http://wejuzofibab.medianewsonline.com/3863776512.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/eba60546-d099-40c1-9062-7f717c5f4ab9/5889142582.pdf
    • https://uploads.strikinglycdn.com/files/8f747200-ceed-42dc-bfac-b8f9795767b0/58323364933.pdf
    • https://uploads.strikinglycdn.com/files/572946e0-236b-4ee0-a6a8-9c986cc3e7c3/zesolo.pdf
    • http://butorinowu.myartsonline.com/diccionario_portugues_brasil_espaol.pdf
    • https://uploads.strikinglycdn.com/files/43063f8d-5a57-4b3e-ae0b-ca236f11d83b/sezotoremugedosel.pdf
    • https://uploads.strikinglycdn.com/files/3410f8d6-dfd6-4d69-a7ea-306e3739d7ce/pet_sematary_1989_cast_then_and_now.pdf
    • http://lofunadex.myartsonline.com/ugc_net_sociology_syllabus_2020.pdf
    • https://ff743420-c5e2-4527-a456-70ddb2a1abd8.filesusr.com/ugd/5178f2_37cb00019c394c8fa5ed544745786f80.pdf?index=true
    • https://uploads.strikinglycdn.com/files/595d06a1-8793-46da-9cf8-ab6194a10691/nufevisivebugiveri.pdf
    • https://uploads.strikinglycdn.com/files/2ec13a49-80f9-4d84-9980-5fa8e58451f4/50562791426.pdf
    • https://8ed6bd9f-de2b-4923-b7df-82f95eb18a03.filesusr.com/ugd/7fa32f_c9fc479e97cb44acb483a9d6756089ed.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016468.bin
de5426621a20a15ae422a4c79e939e64a1a5f495d0e209d7466ffc3c3752caee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16468 5240 bytes
font_01_sfnt_off00017635.bin
c701015562ea7c15e278e39c294843eb77802e5fcd8236cb0ecc42579630b7aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17635 11344 bytes
font_02_sfnt_off00019c99.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19C99 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.