Malicious PDF — malware analysis report

Static analysis result for SHA-256 ddc2e18adf7e3386…

MALICIOUS

PDF

79.2 KB Created: 2021-04-16 04:33:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89cff14c4c405a8c7c22b4665ccf8a3e SHA-1: c318fa4da55bad6d3913619a859ed2fd8f8b6d71 SHA-256: ddc2e18adf7e3386d7a00d31a8243193e6b8f2f6ba2c73e38780a93d770a160b
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple external URIs, with one specifically appearing as a search result for 'Fender mustang ii amp power cable'. The presence of a link farm on disposable hosting and a high ML classifier score indicate malicious intent. ClamAV also detected this file as Pdf.Phishing.Trojan, further supporting its malicious nature. No scripts were extracted, but the document structure and embedded URLs suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8184

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/strik?utm_term=fender+mustang+ii+amp+power+cable
    • http://choosemadam.site/2505913364rndv7.pdf
    • http://podjem2.club/sentence_fragment_worksheet_with_answers0h6tt.pdf
    • http://gepexoliv.medianewsonline.com/brother_mfc-9970cdw_printer_driver.pdf
    • http://nyvelsets.online/how_to_unlock_my_amana_washer_dooru7olz.pdf
    • http://wusozupu.mypressonline.com/admiralty_digital_catalogue.pdf
    • http://ganoget.scienceontheweb.net/lafanuwi.pdf
    • http://noxogejukebe.mypressonline.com/31663012465.pdf
    • http://lanizimugigil.getenjoyment.net/algebra_1_textbook_prentice_hall_answers.pdf
    • https://cdn.sqhk.co/dorodidur/jcihjgi/raw_gold_farming_wow_bfa_8._3.pdf
    • https://cdn.sqhk.co/pajijolabalu/fBGWqYO/green_turtle_express_top-_ups.pdf
    • http://enots.space/53211761622uyfcf.pdf
    • https://cdn.sqhk.co/difakezil/iahd183/45619161625.pdf
    • https://cdn.sqhk.co/zeritogekuja/hfJMEy0/word_cookies_daily_puzzle_june_10_2020.pdf
    • http://rijoginijamibeg.mypressonline.com/salesevesuzolivopegese.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6f672a44-e16c-4921-a0f1-e3781c0647c5.filesusr.com/ugd/bda22a_77f2e7f4fd2349178d7fac8a1642907b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/76aa7f56-9ca0-43c6-821e-3e70e141b0f9/posatunuperedivanev.pdf
    • https://uploads.strikinglycdn.com/files/521d0cb9-9a87-47a3-a2cd-b263e0ab7088/varizerekuxesodovibuje.pdf
    • https://351e5f87-f9e5-4015-92cd-d601692b9ec3.filesusr.com/ugd/a0d0d3_c0706a95e8164e5cbc5319508ef651c5.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011476.bin
ab0a49ce4c2072fb8b89de45cc36b2db322cac6b142c89381cd016e4fe330066		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11476 5580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.