Malicious PDF — malware analysis report

Static analysis result for SHA-256 dac0617c0d15f8d3…

MALICIOUS

PDF

69.8 KB Created: 2021-04-09 18:02:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 595c0d28afde30567c99df8eeaa70fcc SHA-1: 53bd9558a9b6f3014c04c5309bcd9b860762af72 SHA-256: dac0617c0d15f8d3712f87ca224a48b8968be92a013d8a69f912369e3f46c1c6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is a phishing document and hosts a link farm. The embedded URL points to a suspicious domain, likely serving as a lure for users searching for game downloads. While no scripts were directly extracted, the PDF structure and external links suggest an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8590

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/strik?utm_term=sims+3+worlds+free+download+tumblr
    • https://tupigupuji.weebly.com/uploads/1/3/4/7/134747984/ddff8ee.pdf
    • https://gufobigan.weebly.com/uploads/1/3/4/4/134481927/penozufa-sotipofeniguzu-ranumiwoter.pdf
    • https://zokemubolito.weebly.com/uploads/1/3/4/8/134895641/xetow-runaxugifa-feromolute-tomagolusajad.pdf
    • https://vafumesaz.weebly.com/uploads/1/3/4/5/134589630/8838470.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/499fdb92-d9a8-4849-a908-2028877972c0/15700846806.pdf
    • http://birabigipo.epizy.com/fijilegikujugubolel.pdf
    • https://uploads.strikinglycdn.com/files/8603fb0d-3620-4059-aee0-b21db19b5f8a/a_midsummer_nights_dream_script.pdf
    • https://59cf682b-6680-4a08-8b8d-0472bab64ef7.filesusr.com/ugd/d7d6cd_656f5b7e417f493c8f73c805ddd29571.pdf?index=true
    • http://sonogobujajeva.rf.gd/itinerary_example.pdf
    • https://0879403c-3be5-48e4-925f-21334a7d5cfe.filesusr.com/ugd/407fcc_e8f315422a9c49b199e8dd2c1883c309.pdf?index=true
    • https://c1bbde11-5cda-4f7c-8b74-b2fe90b484f5.filesusr.com/ugd/1c8c6c_6052bfaefcd24d00bb42d2435d893026.pdf?index=true
    • https://7f3356c1-ec1f-498a-9d41-5b36c14d87b7.filesusr.com/ugd/98d33d_76bb0e4555064349a7ddd82aa4838f27.pdf?index=true
    • https://d1159ab4-cbf5-42eb-897b-83a5e94cd7da.filesusr.com/ugd/536122_7d542567879247fdb414917af431c754.pdf?index=true
    • https://e924225a-aa46-4bfc-8e56-7341551e1833.filesusr.com/ugd/54dfea_4f1190355c5a49cabb0e1ac3e4c7346b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/feb66ee7-652e-434f-9177-56c697d732df/medidas_de_seguridad_covid_19_oms.pdf
    • https://db7841a4-af10-4990-a2be-f084cd4acbf6.filesusr.com/ugd/e3c460_5bc97544f28b451b9c1aa372363249aa.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2d0a2a82-79a8-414d-bd40-bbfd2c634351/pememowanejivawiv.pdf
    • https://b5c90759-dbf8-4ccd-b12d-e23c958527f9.filesusr.com/ugd/915a55_a9fb9be0ad3d477ba42e0e48374268cb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/29601c77-5fdc-48d8-ab3c-020f485c8ab3/what_is_the_theme_of_the_story_cupid_and_psyche.pdf
    • https://91e55214-10ad-44cf-a10a-60a9392df58b.filesusr.com/ugd/e1c37d_dfe341542513456e83ee0be2735ff258.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7a3e65c2-9e28-43a9-8560-388271e296a1/8941220418.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d060.bin
8388a3d1ec030a85ef8d0ac989c7921ebfe99c60e98f54de6b0ee5bb40371e16		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD060 5552 bytes
font_01_sfnt_off0000e32b.bin
fe2123dbee4b7bf8755342d2f8fb97f76f6a70077f8b9fc3a8343a1737165214		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE32B 2528 bytes
font_02_sfnt_off0000ee5b.bin
df877fc5847dd4262a2a233623b37c628ab60fbc469bbc979c038d1201263a34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE5B 9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.