Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea0c5b407ad7f06d…

MALICIOUS

PDF

74.8 KB Created: 2021-06-03 04:26:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e71cf0369ef20ed03e3320f38153a4a0 SHA-1: cb052b6f62dfe8364a132ef513b8502327c8da09 SHA-256: ea0c5b407ad7f06d8ed1664b089db943d2ebad74219f331eef348eec0d7e08b9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a link farm. One prominent link directs to 'coretry.ru/pbw', suggesting a phishing or scam attempt. The presence of multiple Weebly-hosted PDF links further indicates a coordinated effort to distribute malicious content or redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8823

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/pbw?utm_term=participe+pr%25C3%25A9sent+adjectif+verbal+exercices+pdf
    • https://fepapiwepum.weebly.com/uploads/1/3/4/3/134382013/46bc89.pdf
    • https://ziperibeletoru.weebly.com/uploads/1/3/4/7/134761266/zegadonemudez_jasemofem.pdf
    • https://cdn-cms.f-static.net/uploads/4465392/normal_60696469b0173.pdf
    • https://xuminewas.weebly.com/uploads/1/3/7/5/137500686/9946e65df4b0d3d.pdf
    • https://rapugudunoxe.weebly.com/uploads/1/3/4/0/134012743/musukom.pdf
    • https://regajuwanuduxis.weebly.com/uploads/1/3/4/3/134319991/9658edfa79.pdf
    • https://matasomorat.weebly.com/uploads/1/3/4/4/134492922/banisudijijogulufiva.pdf
    • https://cdn-cms.f-static.net/uploads/4500183/normal_60117e067c1f4.pdf
    • https://cdn-cms.f-static.net/uploads/4393898/normal_602d39d8f1201.pdf
    • https://cdn-cms.f-static.net/uploads/4495838/normal_600da7b606052.pdf
    • https://bokepamukabina.weebly.com/uploads/1/3/5/2/135293240/zisikukodekelol.pdf
    • https://pulijapejupexeb.weebly.com/uploads/1/3/4/0/134041872/runono-fovadatabujib.pdf
    • https://cdn-cms.f-static.net/uploads/4451375/normal_6061d4521971d.pdf
    • https://static.s123-cdn-static.com/uploads/4486036/normal_5ff81f1739ff7.pdf
    • https://zafovuzixo.weebly.com/uploads/1/3/4/5/134588091/xemifidedonib.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2b9d2fe9-a6ca-48fe-bb02-91ca9d1b8b76/how_to_oil_hermle_clock_movement.pdf
    • https://uploads.strikinglycdn.com/files/55ff8841-8906-43a6-9f84-592cc2494845/tp-link_tl-wa850re_n300.pdf
    • https://uploads.strikinglycdn.com/files/99cc9a20-6650-41fd-9f31-8522933cfadf/6288916654.pdf
    • https://uploads.strikinglycdn.com/files/aa129b49-e4a9-45bc-9429-e66529dc67e7/pefajexavomorubo.pdf
    • https://uploads.strikinglycdn.com/files/7d8dedd7-f6c3-439f-ad1f-d0cfff79e008/vitewadabipus.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000110ce.bin
341f3a35907380da6e49a5d32007bc77fbadc842ff869e37183eeebf4306950f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110CE 5636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.