Malicious PDF — malware analysis report

Static analysis result for SHA-256 dadaa7f3f99dd6f2…

MALICIOUS

PDF

72.2 KB Created: 2021-03-12 13:05:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2843dd84ca18bd8b1a4db58f2bc98fda SHA-1: 5688fa7640d85740f7c70de6f054e79258b60d02 SHA-256: dadaa7f3f99dd6f206f61194acdbe893a1b64d48bbdba94c90b1ef8464566846
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, identified as a link farm, with one prominent URL pointing to a site related to 'plasenta akreta'. This suggests a phishing or SEO manipulation tactic. ClamAV detection and ML classification further support its malicious nature, likely as a phishing or trojan delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6789

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/award?keyword=plasenta+akreta+adalah+pdf
    • https://static.s123-cdn-static.com/uploads/4414873/normal_5ff06de359270.pdf
    • https://cdn-cms.f-static.net/uploads/4407991/normal_600aac05e894d.pdf
    • https://cdn-cms.f-static.net/uploads/4450251/normal_6037fb0103065.pdf
    • https://cdn-cms.f-static.net/uploads/4476011/normal_60158c0f5b237.pdf
    • https://cdn-cms.f-static.net/uploads/4480170/normal_60198fc49ce11.pdf
    • http://1xbet-regi.site/febonau2y1.pdf
    • http://sale20.site/6884169310z5n0.pdf
    • http://spainsale.pro/baylor_academic_integrity_quiz_answersujf8r.pdf
    • https://cdn-cms.f-static.net/uploads/4493545/normal_5fdaf67850360.pdf
    • https://cdn-cms.f-static.net/uploads/4483365/normal_5fd111bbd8724.pdf
    • http://richteam.site/burka_avenger_cartoon_3gpgyr43.pdf
    • https://static.s123-cdn-static.com/uploads/4478125/normal_5fcd5ef32375a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/87af4088-6bb0-4856-b6e7-ff2cf595173d/wirolejovas.pdf
    • https://uploads.strikinglycdn.com/files/80580ff6-80c5-4575-9b51-fb6ecb8972ee/ques_un_asociado_de_ventas.pdf
    • https://uploads.strikinglycdn.com/files/bf6d8a63-6ee2-4773-b190-fc7a31503469/heart_of_darkness_movie_cast.pdf
    • https://09ec9d85-9312-4337-94d0-b84080e05f2e.filesusr.com/ugd/ac0094_5e7525181c6645f0ac27e39330aa9760.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2ee99a54-591a-4214-9172-1ffa2b6080e0/diablo_3_switch_eshop_sale.pdf
    • https://uploads.strikinglycdn.com/files/e8456374-6bc3-4c96-be21-a98c3943e90f/juriroluxidupumusogon.pdf
    • https://35548484-ce42-4b18-9d9d-834326683263.filesusr.com/ugd/a221b6_c89f604ab65b43ecb98bab73eac7b17c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5f452c1f-5cd9-4f2f-a903-c016367d0eea/descargar_caballo_de_troya_10_gratis.pdf
    • https://uploads.strikinglycdn.com/files/012de643-4cf5-44ae-92d7-bcb275c09fa3/chartered_financial_analyst_course_duration.pdf
    • https://uploads.strikinglycdn.com/files/236106ce-03ca-403d-a286-df246ed2cdcc/nogoresudapivovufi.pdf
    • https://uploads.strikinglycdn.com/files/cd1d43f2-ed32-42a9-a03c-4325ec915a9b/the_little_prince_excerpt_by_antoine_de_saint-exupery_summary.pdf
    • https://uploads.strikinglycdn.com/files/27f8d9aa-2861-46d3-956b-dcab6833ae15/economic_development_jobs_nyc.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f074.bin
f749b9bda9d9b49a7c57a64262379aa58384a7facb6b9c42a22957640f1dd911		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF074 5192 bytes
font_01_sfnt_off00010219.bin
026814bf954a70d19771ce0c05d065a6cdce2ee9449ac4171dbcc4d54decff40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10219 10568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.