Malicious PDF — malware analysis report

Static analysis result for SHA-256 f644e0c05fd6d007…

MALICIOUS

PDF

73.4 KB Created: 2021-03-18 22:42:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: 88b14817d42cb7143fba8bb58d882fb1 SHA-1: b68f47fc837748b750809ba9c557b018dd04e7bc SHA-256: f644e0c05fd6d007e9aa4fa69da440dc8b8deafeabf57ee34044aa3befc86e99
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links pointing to disposable domains, disguised as a document about learning English. Heuristics indicate it functions as a link farm, likely intended to redirect users to malicious sites or phishing pages. The ML classifier and ClamAV detection strongly suggest malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9005

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=como+aprender+ingles+pdf+descargar PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4425910/normal_6049ccc23b91a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388181/normal_604729bdd0f74.pdfIn PDF document text
    • http://teksol.xyz/can_you_lose_weight_with_only_diet_and_no_exerciselwpxm.pdfIn PDF document text
    • http://rezisekuvaz.mypressonline.com/agnes_of_god_john_pielmeier_script.pdfIn PDF document text
    • https://wujibinofowe.weebly.com/uploads/1/3/1/3/131383737/lolibopafufujerum.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4422622/normal_5febf7e4ee201.pdfIn PDF document text
    • https://xadularapiro.weebly.com/uploads/1/3/1/4/131437383/lafadoji-fadobugamagum-dovazufamijarix-vujabupiv.pdfIn PDF document text
    • http://kimisorunutom.medianewsonline.com/asrb_net_syllabus_2020.pdfIn PDF document text
    • http://clubstore.info/14392354912iart3.pdfIn PDF document text
    • http://idealicait.website/hd_movie_site_listf38cm.pdfIn PDF document text
    • http://vodabutopidaru.getenjoyment.net/what_kind_of_character_is_the_nurse_in_romeo_and_juliet.pdfIn PDF document text
    • http://hookup666.site/linux_shell_scripting_tutorial_free_downloadpup8z.pdfIn PDF document text
    • https://poxuroli.weebly.com/uploads/1/3/0/7/130738943/zolomemete.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407313/normal_5fd1793f4611b.pdfIn PDF document text
    • http://okrasote.info/where_does_evil_dead_take_placehvzvo.pdfIn PDF document text
    • https://fuvipizewovotat.weebly.com/uploads/1/3/1/0/131069886/d8f19bd3852c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4449775/normal_604ba394b0f8d.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b5761231-41bf-4642-a0fc-8c257229a9d3/15882294750.pdfIn PDF document text
    • https://4eb3a9b5-ca6a-4b2a-896e-878abc754f3b.filesusr.com/ugd/f1ab86_acecf63c43ec463eb84383755319462f.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/73a23d79-eba4-46f6-91b6-eb31b6d1dac0/16486143252.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2639aba8-369f-4a3b-b4af-ee81df8b76fe/how_do_i_get_my_keurig_to_stop_filling.pdfIn PDF document text
    • https://3e80c8bf-0031-4ca1-bfa9-4484641fefed.filesusr.com/ugd/08103e_8e71855f276b46aa8273ec228c49e6cc.pdf?index=trueIn PDF document text
    • https://ce419959-236d-4487-89d7-67f356bda573.filesusr.com/ugd/147b51_3784d7f515d445fc87927c139e7b730b.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5bb01b2a-4cd0-41db-bb10-e322b1b275bd/insinkerator_evolution_parts_list.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/836c6ac1-76ce-4d70-80a4-2a5c0c82f079/xibabumip.pdfIn PDF document text
    • https://7f03322d-63d6-449b-a8c2-a80beffeb2b6.filesusr.com/ugd/2994dd_5a50a08a77ab40baadeb97ae15b8372f.pdf?index=trueIn PDF document text
    • https://50bf384a-eeac-4f26-a262-e2ba1a5e00ba.filesusr.com/ugd/17159d_9fc7b1bc42a14cbab1661c25a29450e6.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f44d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF44D 5380 bytes
SHA-256: 9b366bad230ea8a1341261d0f6924c1cb816938142482dbe9b1c82b711fda0d9
font_01_sfnt_off0001067e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1067E 11920 bytes
SHA-256: 0c52e0667060a541599c9a66132d43529abece38011780257389649e8478a7bd

Open this report in the interactive analyzer, or submit your own file for analysis.