Malicious PDF — malware analysis report

Static analysis result for SHA-256 d653d7b23e4b281c…

MALICIOUS

PDF

74.2 KB Created: 2021-03-10 20:44:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6d002de242ab71d738ca12c51c14f20b SHA-1: abd64dd3500adf641e9f1d0e383f31b8b33f689d SHA-256: d653d7b23e4b281cb8567e7bf3e30aaa78dde8562fedcc4e776c98782269d6ef
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains numerous external links, a common tactic for phishing or directing users to malicious sites. The ClamAV detection and ML classifier strongly indicate malicious intent. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic suggest the primary goal is to redirect users to a network of linked content, likely for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8529

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=is+hp+officejet+4630+a+laser+printer
    • http://luwogexejel.getenjoyment.net/ronco_pasta_maker_recipes.pdf
    • http://tefitagesev.mypressonline.com/xbox_360_controller_not_turn_on.pdf
    • https://cdn.sqhk.co/gizibiliwili/ghheMih/a_snowball_effect_idiom_in_a_sentence.pdf
    • https://cdn.sqhk.co/vowibesep/tibNhj6/93488495860.pdf
    • http://jafoxidulez.mypressonline.com/61164730311.pdf
    • https://cdn.sqhk.co/gapebeve/ih53w5n/talisman_online_mobile_gameplay.pdf
    • https://cdn.sqhk.co/fomavulobet/gtJhaRJ/subject_pronouns_worksheets_grade_4.pdf
    • http://zomolejefej.mywebcommunity.org/gozuxo.pdf
    • https://cdn.sqhk.co/rinulazopun/bEehe28/41510891853.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://1de4b56a-3309-4767-83a2-f1bb1ea7c594.filesusr.com/ugd/a6e5e9_5ff594dab4974726a627a57781b3a7b4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4c6458d3-ac64-4139-80fc-3bf770c0a97c/82071301047.pdf
    • https://911f1565-2faa-4874-b261-330d521e7362.filesusr.com/ugd/f46427_2f6f99930a5645ca8ddc4c9c517d89ef.pdf?index=true
    • https://53ebb62d-ddaf-432f-8dc3-1f4746653467.filesusr.com/ugd/bbd3cf_4f5d8110705d439284aa5b2d13928d66.pdf?index=true
    • https://23751d96-d7b3-42ca-b8ca-e459b671ea95.filesusr.com/ugd/7de994_447636ffc4124787a688a3d2e36e7076.pdf?index=true
    • https://e5eb5b25-b33c-43e3-82d5-57ab1bf863d8.filesusr.com/ugd/b0c717_c6145179bf8e445e96553df0544d252f.pdf?index=true
    • https://83d12552-0bc1-4415-b221-1da25caacb9b.filesusr.com/ugd/1e11d0_3f562415232e4812a62d14a02bb52fc4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/097b2694-6172-4cf1-9ee1-8b5dc6ea88d2/bujav.pdf
    • https://uploads.strikinglycdn.com/files/fd358f99-83e0-4349-af81-9dd728bf463a/billie_eilish_the_end_of_the_world_lyrics_traduction.pdf
    • https://ef2e072a-e8a2-4438-804d-cc750be2e2f6.filesusr.com/ugd/6a22cb_48088af857784dea9a5b85243627dd74.pdf?index=true
    • https://a35b4eae-300a-44a5-b982-8d633984e519.filesusr.com/ugd/19735e_ef16b5f3798f4f9d9620062f9fa6a6d8.pdf?index=true
    • https://3568ea06-17fa-4787-91ae-86b9aa918cbd.filesusr.com/ugd/8ade13_433094f0701b467fae171beec629d926.pdf?index=true
    • https://41be308f-8a64-4dec-8b30-4937605be974.filesusr.com/ugd/f042fe_51f99c45ca88491ca8a6ae3281f83f82.pdf?index=true
    • https://0e098354-e5d1-4afc-9be7-763a70ae5e44.filesusr.com/ugd/ef253e_5ce2346d42a64755878fc399f8c6f8fe.pdf?index=true
    • https://1094d5c0-a920-47c7-a1de-7e2d56a92d84.filesusr.com/ugd/47b1e8_b8fdf34e6e3e423c8c87364b7022f053.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f921.bin
1bb3f42e146393fec352d63a920a4c4241a89da6e463c29c95540a109abf4ae4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF921 5664 bytes
font_01_sfnt_off00010c64.bin
8b71477c75d44432aa6d18f4dbcc77f872f80784e26db235c71f587930ce548b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C64 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.