Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8e300906d2ccd0f…

MALICIOUS

PDF

76.3 KB Created: 2021-03-22 20:00:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6e2c52b0ed0eb5f1ceee277610b76a6b SHA-1: d1183da6b5e78527062154d03f8dbbae35b56d9f SHA-256: d8e300906d2ccd0f83f6e9d1b96ba9bfd08eaab62bccf3a429cd63f622dba49c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, suggesting a malicious intent to redirect users to potentially harmful websites. ClamAV detected this file as Pdf.Phishing.Trojan, and ML classification also flagged it as malicious. The embedded URLs are the primary indicators of compromise, likely leading to phishing or malware distribution sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6969

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=body+language+allan+pease+bangla+pdf
    • https://jelakuge.weebly.com/uploads/1/3/1/8/131856802/wovotub_nomiluke_vejupufuw.pdf
    • https://werijininen.weebly.com/uploads/1/3/4/6/134635560/1114334.pdf
    • http://parazepurafeza.medianewsonline.com/library_of_babel_borges.pdf
    • http://sidufapas.mywebcommunity.org/23268563224.pdf
    • https://xufodikufidu.weebly.com/uploads/1/3/5/3/135382923/2225726be41d3d2.pdf
    • https://senakubedezozi.weebly.com/uploads/1/3/1/6/131606366/nufuzuroto_korabomapilo_dubimujuda.pdf
    • https://jidupedepinamup.weebly.com/uploads/1/3/2/6/132680921/9669032.pdf
    • http://lubevos.scienceontheweb.net/jeff_buckley_hallelujah_piano.pdf
    • https://rafopotoze.weebly.com/uploads/1/3/4/6/134609035/nenitatenef.pdf
    • https://jasugigikimodo.weebly.com/uploads/1/3/1/3/131383258/satatugelowumul.pdf
    • https://zububeto.weebly.com/uploads/1/3/6/0/136082076/vadugoxiporuko.pdf
    • https://dukikabapesudux.weebly.com/uploads/1/3/4/1/134108868/funin.pdf
    • https://gesogakit.weebly.com/uploads/1/3/4/5/134581759/guwegakabasel-luvema-xebugumarujut-wutegigu.pdf
    • https://gofuzuxelizexo.weebly.com/uploads/1/3/5/3/135391542/duloxatudom.pdf
    • https://tivizaxif.weebly.com/uploads/1/3/1/3/131381605/e020629e60.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://besafetusupug.atwebpages.com/rixasuresuvunom.pdf
    • https://s3.amazonaws.com/polojuliragam/ramitilitozuni.pdf
    • https://s3.amazonaws.com/pulavokaxe/sorugawamexelubug.pdf
    • https://s3.amazonaws.com/babetafaperaxov/benign_salivary_gland_tumors.pdf
    • https://s3.amazonaws.com/varolexexus/osrs_ornate_pool_guide.pdf
    • https://s3.amazonaws.com/sajatesawodiji/can_you_program_a_directv_remote_to_a_roku_tv.pdf
    • http://bavotuvezomevi.myartsonline.com/94949298027.pdf
    • https://s3.amazonaws.com/polexebuj/23561179581.pdf
    • https://s3.amazonaws.com/kelukakeb/marshall_haze_40_footswitch_schematic.pdf
    • https://s3.amazonaws.com/dazinibonofobi/digefofabekakazebuj.pdf
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000daee.bin
663262363ff3cbe704102f90da23438ec7472e463f665d31b74f3e0c7d475f10		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDAEE 5404 bytes
font_01_sfnt_off0000ed68.bin
f67d96912458ad3602991639b5b04cef86dfb83126306ff6fe33a5df7317bc2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED68 17616 bytes
font_02_sfnt_off00012075.bin
1e73c116ef30a8252e642028b9d94ff39327f11a90e454e4a16c51c366236330		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12075 1608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.