Malicious PDF — malware analysis report

Static analysis result for SHA-256 04002715a87d8597…

MALICIOUS

PDF

77.3 KB Created: 2021-02-24 21:55:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 07a18c4664d51c4c9b98d433406a9d44 SHA-1: ba014955e96f7f694bf57d4a2cbcdb7f5c699cb6 SHA-256: 04002715a87d85975ce6cf65b852808ed2bbcb1f74d380f6dd16f6960f9b7d49
166 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple heuristics as suspicious, including being a link farm on disposable hosting and containing invisible links to suspicious domains. The ML classifier and ClamAV also identified it as malicious, specifically as a phishing trojan. The embedded URLs and the nature of the heuristics strongly suggest a phishing or malware distribution attempt, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=how+to.improve+english+speaking PDF link annotation
    • http://italia-doc.space/sanujirujopufijapupuzifugg5q.pdfIn PDF document text
    • https://cdn.sqhk.co/devuzemalut/ugghhij/57556780459.pdfIn PDF document text
    • http://com-login8.xyz/34721912844xogw0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4531523/normal_5fd0a252807eb.pdfIn PDF document text
    • http://winwites.space/buku_bivalviayoml8.pdfIn PDF document text
    • https://cdn.sqhk.co/xugumewaz/igi6hgo/awm_gun_sound_message_tone_download_mp3.pdfIn PDF document text
    • http://itdiscount.pro/gramtica_ingls_avanadoc6wb8.pdfIn PDF document text
    • http://itfamily.pro/33199941690f92ls.pdfIn PDF document text
    • http://smartcoin.design/mending_wall_questions_and_answerst4nxf.pdfIn PDF document text
    • https://cdn.sqhk.co/mofijovelu/aQHjdfA/45694769271.pdfIn PDF document text
    • https://xutareziwax.weebly.com/uploads/1/3/5/3/135327408/8f1195.pdfIn PDF document text
    • http://homearfes.com/konibunawumazixomesawuwx2ww.pdfIn PDF document text
    • https://cdn.sqhk.co/golemejexeno/jbCgghg/poker_themed_pinball_machine.pdfIn PDF document text
    • http://yandex-dostav.ru/tupodojy2lg.pdfIn PDF document text
    • https://cdn.sqhk.co/bumadawab/jfI8VWz/92774931841.pdfIn PDF document text
    • http://azules.ru/8309245357g82as.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/laginekux/tajud.pdfIn PDF document text
    • https://s3.amazonaws.com/vavabi/brown_bed_sheet_texture.pdfIn PDF document text
    • https://s3.amazonaws.com/medaliwifufugel/58795205857.pdfIn PDF document text
    • https://s3.amazonaws.com/xiwevitox/93187468098.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f0ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF0FF 5444 bytes
SHA-256: 010f4ca2d184c377bae12bef08de08161f4b1831a282269cc1abe4b1a12086ec
font_01_sfnt_off00010373.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10373 10596 bytes
SHA-256: d7f670e6edad9975eb9fc4632fcd358cf842f2ba3d1da6533c82664f9778a015

Open this report in the interactive analyzer, or submit your own file for analysis.