Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3d4fc32e91ef231…

MALICIOUS

PDF

76.3 KB Created: 2021-04-02 06:40:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 900ca504a05c02a0de245122ea358dae SHA-1: 8d3fc4e4ec35e7fbb7794d14cf6c35c9f2eb764b SHA-256: d3d4fc32e91ef231be506a3b9670b4d6233e08c2ffa42e2a917f9615dfe17694
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are SEO-themed and point to other PDF documents, suggesting a link farm or redirection mechanism. One prominent URL, 'https://gimoguvi.ru/award?keyword=sql+interview+questions+and+answers+for+3+years+experience+pdf', is presented as a search result, indicating a phishing or malware distribution lure. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9182

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/award?keyword=sql+interview+questions+and+answers+for+3+years+experience+pdf
    • https://cdn.sqhk.co/fagijopi/mDIDHMB/mabavuzip.pdf
    • http://luminar2-download.xyz/2016_happy_new_year_greetingsdpv35.pdf
    • http://antonioit.space/zopagewurogepavapakupiraguo3k.pdf
    • https://cdn.sqhk.co/sifajoxojif/hcjePhj/music_zen_relaxing_sounds.pdf
    • http://ilkertr.shop/19489307816qqqfq.pdf
    • http://trendmobile.ru/xutuwekunupawevotutadugedffft.pdf
    • http://100p-f.ru/320_hour_eyelash_extension_course_houston_txkop1p.pdf
    • https://cdn.sqhk.co/fofodafexadu/geOhfP7/bust_a_move_game_android.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fejenijovekozu/juzumazevanixarebazejeli.pdf
    • https://d1b33a7b-cde1-45d4-bc15-d4d3b6236ac5.filesusr.com/ugd/1d64af_6b4edd24dacb47d9b5b2184c0836e517.pdf?index=true
    • https://s3.amazonaws.com/xalexojaxipud/bridges_in_mathematics_grade_5_student_book_answer_key.pdf
    • https://5a6df620-610b-4d6f-8f1b-71e936bb70bc.filesusr.com/ugd/1f5cef_a39763d9c0f4474e8628961951350e69.pdf?index=true
    • https://s3.amazonaws.com/rudelazifizuvo/a5_booklet_template_powerpoint.pdf
    • https://uploads.strikinglycdn.com/files/d1a067a2-daa0-4c9f-b8ff-c3ca854414f4/29193206400.pdf
    • https://89e38ec3-4f9a-4901-8333-056bfd5bbc5c.filesusr.com/ugd/3df7a3_6c72ed700b9b4c9baa59614939252336.pdf?index=true
    • https://uploads.strikinglycdn.com/files/51fcdd32-409e-4a98-a4e3-238f30b0dce4/how_to_start_a_black_and_decker_coffee_maker.pdf
    • https://6f0a1f77-3195-4c90-aae7-8e5805bb56bd.filesusr.com/ugd/f94fd0_8d2b5f840c4642cda1513ebdc72f1748.pdf?index=true
    • https://uploads.strikinglycdn.com/files/83bc9204-3b28-45cb-b3c9-20c4d37ad2a0/rt_ac86u_review.pdf
    • https://s3.amazonaws.com/gorajikunobixi/qu_es_lder_espiritual.pdf
    • https://8b2103c5-345b-48fd-98e3-f19c90c4efd0.filesusr.com/ugd/0e2875_523c1a23bf2b483c92623c84f636bb81.pdf?index=true
    • https://fed4949e-3809-4fc0-a28b-84c5d390f589.filesusr.com/ugd/94482e_0d769f9c5294410f84801e406518b356.pdf?index=true
    • https://s3.amazonaws.com/suzixegazunow/virtual_city_playground_apkpure.pdf
    • https://a19d597f-2220-41b3-9459-688249e8a20b.filesusr.com/ugd/f19f53_3e147a2d03a9456b946fc545b40dfd94.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010c6f.bin
17b75603f5473a5654b46ad7328d3b1a8d60728bb060ed8e41ca2e58b39ec024		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C6F 5864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.