Malicious PDF — malware analysis report

Static analysis result for SHA-256 05d608e4b97f276a…

MALICIOUS

PDF

76.1 KB Created: 2021-02-10 20:33:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 1fd7d842071f6ef042651d10cb28f9f2 SHA-1: ddcd2bf791bfceb9c6a2ec28dcec857f3981a86f SHA-256: 05d608e4b97f276a548591b2d7c88471cb4a37d2fde5832d65e8cb3a971eabc5
286 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link T1059.007 JavaScript

The PDF document contains lures related to remote support tools, specifically mentioning 'Teamviewer'. It also features a large number of external links, many of which are hosted on disposable domains, suggesting a link farm or phishing operation. The presence of ML and ClamAV detections, along with heuristics indicating remote support lures and SEO link farms, strongly suggests malicious intent. No scripts were extracted, but the document's structure and embedded URLs point towards a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 9

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/aws?utm_term=teamviewer+b%25E1%25BA%25A3n+m%25E1%25BB%259Bi+nh%25E1%25BA%25A5t PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4423195/normal_5fde81bada7b8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4452624/normal_5fd7ce8fdb27f.pdfIn PDF document text
    • http://mizigigutafax.iblogger.org/tijataputomavunonij.pdfIn PDF document text
    • https://nitiruminaxodax.weebly.com/uploads/1/3/0/7/130738633/zekanuvulamumon_makovifilozo_fofiki_zurevobit.pdfIn PDF document text
    • https://zeruposizagaki.weebly.com/uploads/1/3/4/8/134854722/4859547.pdfIn PDF document text
    • https://modevidiwuwos.weebly.com/uploads/1/3/5/3/135318048/dugoduzapo-bumutupojo-dipikiweliro-sefabuj.pdfIn PDF document text
    • https://genexezo.weebly.com/uploads/1/3/4/6/134616565/bulakinubuwepelul.pdfIn PDF document text
    • https://levalezekavazif.weebly.com/uploads/1/3/4/6/134639406/lutibebunojonojujote.pdfIn PDF document text
    • https://xedasijaw.weebly.com/uploads/1/3/1/4/131453620/xamajomitilabur.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4487201/normal_60228b110e03d.pdfIn PDF document text
    • https://kasitawudak.weebly.com/uploads/1/3/1/3/131380619/dikoriku-fisebatoj-medake.pdfIn PDF document text
    • https://zegikawa.weebly.com/uploads/1/3/4/6/134640481/jebimamupixenu-xanen-veminiwa-lujor.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385424/normal_601de32e7dac7.pdfIn PDF document text
    • http://kir.center/oculus_rift_x_planejt5ft.pdfIn PDF document text
    • http://wownatural.fun/biotecnologia_farmaceuticaccq49.pdfIn PDF document text
    • http://jobauthor.online/369178292759rbm2.pdfIn PDF document text
    • http://f1l3download.site/curling_bonspiel_draw_templatesl5ym6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://garuwefusu.epizy.com/labantwana_ama_uber_music_video.pdfIn PDF document text
    • http://zaxilofekuji.epizy.com/10035197255.pdfIn PDF document text
    • http://mipivazub.epizy.com/sheet_metal_cutter_for_drill.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBED 5648 bytes
SHA-256: 5802511b60e4aed83bf42fbde1b285eb258135c57a9c816e5224e7e70f07a449
font_01_sfnt_off0000fdd4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFDD4 10364 bytes
SHA-256: 323e74d03564ffe42c98926173b377fe665e8f78fb7b87ab813d395cef9beb16

Open this report in the interactive analyzer, or submit your own file for analysis.