Malicious PDF — malware analysis report

Static analysis result for SHA-256 023f5c9779f4b441…

MALICIOUS

PDF

76.3 KB Created: 2021-03-11 03:01:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: dc5744c7ced484f7a5025cdb4d4bb511 SHA-1: 3743cf5963d92be477d2be754b76f0c2172e791e SHA-256: 023f5c9779f4b441587fa56e3db8c6ec75db4c790dfdc0b9d32cf11db964362f
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7091

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/award?keyword=little+fugue+in+g+minor+trumpet+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4369664/normal_602e986a8e61f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4419628/normal_5ff8938b8bd5d.pdfIn PDF document text
    • https://cdn.sqhk.co/zoxinugokas/hfkjcha/prison_escape_films_list.pdfIn PDF document text
    • https://senevilamopon.weebly.com/uploads/1/3/0/8/130814687/4851933.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4495251/normal_5fcefc2c7b3ec.pdfIn PDF document text
    • https://nudozulewofofij.weebly.com/uploads/1/3/4/7/134711849/tejox.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413978/normal_602d755b91b32.pdfIn PDF document text
    • https://woxukobu.weebly.com/uploads/1/3/4/3/134392577/72db34760.pdfIn PDF document text
    • https://cdn.sqhk.co/felodunom/ignFgjI/xevox.pdfIn PDF document text
    • https://komamopiragi.weebly.com/uploads/1/3/4/4/134444029/goxuxugu-vekotoneni-bidinukamuri.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403540/normal_6031f793ed014.pdfIn PDF document text
    • https://cdn.sqhk.co/kukisigafumi/ihhdigA/nexozutepejusukax.pdfIn PDF document text
    • https://pefuxagofir.weebly.com/uploads/1/3/4/3/134359429/5836134.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://59e5a08b-0d8d-455f-a3a7-35a3b781ab3e.filesusr.com/ugd/784815_4c31fdfb3920403e9c3908c729713301.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/mukut/the_royal_crest_room_menu.pdfIn PDF document text
    • https://s3.amazonaws.com/lebejos/sony_dsc-_rx100m6_help_guide.pdfIn PDF document text
    • https://s3.amazonaws.com/bolovopizonuki/adverb_worksheets_4th_grade_free.pdfIn PDF document text
    • https://b1f0a730-f0e4-4bcf-918d-a915077b90d0.filesusr.com/ugd/a7c69d_925882ee5a8e49e9ae003c0c9a34116c.pdf?index=trueIn PDF document text
    • https://bad3f395-1638-4667-b349-d6f934eeab49.filesusr.com/ugd/ed2d23_5cdb68380b22409497769384a6e08147.pdf?index=trueIn PDF document text
    • https://68358877-4ee6-4e53-94f7-4bd9665c1f53.filesusr.com/ugd/3bbd68_b55983cb24bc432bbef48be204df8b82.pdf?index=trueIn PDF document text
    • https://af18ad75-7652-4b25-b9e0-8da5fded0af1.filesusr.com/ugd/529385_b7b3b46438ef4909903de16cd6be75f3.pdf?index=trueIn PDF document text
    • https://7fe6b731-3703-45da-bcbe-faf39b4d3392.filesusr.com/ugd/880a7e_2a08ebf14503458684345d13ec4deb3e.pdf?index=trueIn PDF document text
    • https://13cfbe10-32e4-4d7a-9072-8dbd3280e6b8.filesusr.com/ugd/994e9e_6120e388c5234f8b96ab05d8b0166474.pdf?index=trueIn PDF document text
    • https://01d7ec8a-e38e-4e33-8c76-1be31754498b.filesusr.com/ugd/24d943_c3d155f678b94b2bb6b74a54475ee0a5.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eee7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEEE7 4912 bytes
SHA-256: 0236cc9d23ad0b5e0e9f15d31bac2ce09a6dea0dc6d0f4173c26c750c40daa53
font_01_sfnt_off0000ff90.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF90 15664 bytes
SHA-256: ec4eff75de56ecd12b43895489a6960704739e16ea5c7829ebc8d382d72deb03

Open this report in the interactive analyzer, or submit your own file for analysis.