Malicious PDF — malware analysis report

Static analysis result for SHA-256 06e58e7f555b4d19…

MALICIOUS

PDF

112.0 KB Created: 2021-04-05 20:13:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 460473b8a218886f826678c050e5db80 SHA-1: 3cb3be5cd06642b19079f5671de7b63f5974309c SHA-256: 06e58e7f555b4d1945cf9cf6f1b4d3c02a622cf31cc92148231a9ba9c95298f3
94 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous embedded URLs, with one specifically highlighted as a lure for "shock wave 2017 english subtitle". This URL, `https://midufefew.ru/123?utm_term=shock+wave+2017+english+subtitle`, points to a domain associated with phishing and link farming. The ClamAV detection further confirms the malicious nature of the file, identifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2976

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/123?utm_term=shock+wave+2017+english+subtitle PDF link annotation
    • http://8gusevshop.website/your_uninstallerupgq1.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4375207/normal_600263314fa72.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4467586/normal_604e2f6006d4e.pdfIn PDF document text
    • http://minesaxofunawi.getenjoyment.net/noxijeberogakilexisora.pdfIn PDF document text
    • http://kifisafobubupo.mygamesonline.org/2020_bjcp_style_guidelines.pdfIn PDF document text
    • http://neyroskakalka.site/backflow_inspection_reportvm5u1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365620/normal_601cae114d380.pdfIn PDF document text
    • http://webdefilmizle.com/bomolazitolerelonoliqwpyi.pdfIn PDF document text
    • http://rebibedo.mywebcommunity.org/personal_pronouns_worksheet_2nd_grade.pdfIn PDF document text
    • http://thechambre.xyz/hp_laserjet_p1606dn_toner_refill9szuh.pdfIn PDF document text
    • http://prizinsta24.online/98798077956vwic3.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
    • http://smc.org.inhttp://smc.org.inIn PDF document text
    • http://www.indictrans.orgIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://s3.amazonaws.com/ropidadegaxut/35939565457.pdfIn PDF document text
    • https://s3.amazonaws.com/libusamagowuvo/ar_aging_report_in_sap_tcode.pdfIn PDF document text
    • http://jujageritoxo.atwebpages.com/radonivewupirokifa.pdfIn PDF document text
    • https://s3.amazonaws.com/fotojipifuzitul/rufuxozivitav.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6555477e-82ba-4dc9-95b7-7a992d963ce0/who_is_dish_network_internet_provider.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bcb5a934-2073-408a-b063-463d4a8f9f5b/sinosunoxepokoxasewufopi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/771fb945-7831-404c-ae91-5d64f99ae1f7/niminevofogi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4db59b37-18a8-4459-ad0e-9502b553392d/delutigojadagaxuso.pdfIn PDF document text
    • https://ab60d57a-1f92-408f-9079-0b325776b613.filesusr.com/ugd/724fb5_39e448525bc143d9a1554dce46f5142c.pdf?index=trueIn PDF document text
    • http://widepidaba.atwebpages.com/4973570305.pdfIn PDF document text
    • https://b5b764bc-4fc6-48d7-9a4b-423a4d05f225.filesusr.com/ugd/3f2390_1a1622a65b074c958432fd89f885fa7d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/9057cd6c-142c-41da-8580-3deeb43681ca/doctor_sleep_review_reddit.pdfIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb69.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB69 7916 bytes
SHA-256: e59037b55eb65fa6455cf1c6287e33a9d16be46809afb7af2e33fa14b570a7d3
font_01_sfnt_off0000ffc9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFFC9 4032 bytes
SHA-256: 1d890cbc49c86b194b6bea92bfd272c23f59aa3734dae7befebffe896f6f634c
font_02_sfnt_off00010e39.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E39 5712 bytes
SHA-256: 6f908375883cc1b84eb9f59bd46bb31170eb2ed2fb0532b89264f4ebe6d8a3a0
font_03_sfnt_off000121bf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x121BF 2656 bytes
SHA-256: dbaab8dcf32bfe64cb008f34eb54f5316f62236e8dffe3de49b44225404383a5
font_04_sfnt_off00012cc1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12CC1 4140 bytes
SHA-256: 119132d4d86df12b64aacef50f1aeac69cc60fdd8dbe27b6e2ceb22654f0acbc
font_05_sfnt_off000139de.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x139DE 3048 bytes
SHA-256: 1b68eb0745f369bd9f805b89718582bd6ebaf917deeaaae5095027b3f32dc7b8
font_06_sfnt_off000145eb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x145EB 2328 bytes
SHA-256: c42118b51b061dffbc196cd4866a2cf76d9f31ae9d0a8f6c06e6ad224a677b24
font_07_sfnt_off000150a3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x150A3 2604 bytes
SHA-256: d07a9fdf75b1e191e7a1ea25e2941b9f689ff98e7e435169aef8b5fb7be41b17
font_08_sfnt_off00015b82.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15B82 3840 bytes
SHA-256: 5b8e8035f8940535bfb5f3d78de7d5c45dbc51c905faa5d9788b8fc152e96872
font_09_sfnt_off0001699a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1699A 2108 bytes
SHA-256: 806d12f4c18e044784d20764d58024893796e88f204c306662924b3e907cbcac
font_10_sfnt_off00017378.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17378 4336 bytes
SHA-256: 87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284
font_11_sfnt_off00018118.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18118 6148 bytes
SHA-256: be38186c9256ba0e64b07d34cca2e63b176d3ffd182ae4667a642b503e748fe0
font_12_sfnt_off00019102.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19102 17040 bytes
SHA-256: 905b58d62f240d5e180cc04357d7ef8d91cbe52ca87f88f29a3e3a3021961ce0

Open this report in the interactive analyzer, or submit your own file for analysis.