Malicious PDF — malware analysis report

Static analysis result for SHA-256 06e7281030ccd038…

MALICIOUS

PDF

84.6 KB Created: 2021-04-04 15:52:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: eeaf76227b1abef649189399751f7417 SHA-1: 95422590cb8cbd9e6edc07e4315d56273064c691 SHA-256: 06e7281030ccd038ae9635fb05fce13edab6f43dbebd7a2950ce15ea3913e55f
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a large number of external links, many pointing to disposable domains and potentially malicious content, as indicated by the PDF_SEO_LINK_FARM and PDF_SEO_DISPOSABLE_LINK_FARM heuristics. The ClamAV detection and ML classifier further support its malicious nature. The document body, though heavily obfuscated, suggests a lure related to chest pressure, likely a pretext to drive traffic to the link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7608

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/aws?utm_term=que+es+tener+presion+en+el+pecho PDF link annotation
    • https://cdn.sqhk.co/fazituku/h1xSjaw/24454373438.pdfIn PDF document text
    • https://laxuwipulave.weebly.com/uploads/1/3/5/9/135956831/tikex_sukitepis_xaluliborig_zibarobatedon.pdfIn PDF document text
    • https://zuzedunili.weebly.com/uploads/1/3/4/4/134460484/kilakal.pdfIn PDF document text
    • https://cdn.sqhk.co/kolokejo/0fA7WWr/53569169230.pdfIn PDF document text
    • https://gewasulupav.weebly.com/uploads/1/3/0/7/130740056/4fb789c185.pdfIn PDF document text
    • https://cdn.sqhk.co/nuxezitowefi/Dg9aiiF/komumixeromusamewagom.pdfIn PDF document text
    • https://cdn.sqhk.co/nofatazor/eE4hiib/burj_khalifa_full_hd_video.pdfIn PDF document text
    • https://bekodezu.weebly.com/uploads/1/3/1/8/131856725/1b8f2a2abc578b.pdfIn PDF document text
    • https://cdn.sqhk.co/jaruxabal/PRMyhbc/53201337934.pdfIn PDF document text
    • https://jenejipita.weebly.com/uploads/1/3/4/4/134473981/8df191a2d71609.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/0e57b401-bbf3-4b2a-bc33-e4533523cc1b/powermax_45xp_review.pdfIn PDF document text
    • https://ee60c613-3dd1-430d-b711-08e3dcbf0273.filesusr.com/ugd/19ce5d_171a4c5f307649c1a53dfcf11f6c9655.pdf?index=trueIn PDF document text
    • https://0ca3454e-05ac-49fc-8d00-644b1af7be3c.filesusr.com/ugd/8bf3fc_1804a5fa1db74e4d94e6a465b46235bc.pdf?index=trueIn PDF document text
    • https://a22c3535-4c29-4f26-bf6b-1e631d3648e5.filesusr.com/ugd/28986c_87bf0ad223a04995afc316e1421d84d3.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/eba149e7-5897-4619-b37d-2ab3f89eea17/husqvarna_rz4623_deck_belt_diagram.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/188f0ba3-120d-4e76-a9bf-fb73b70b9ef8/bose_acoustimass_10_series_v.pdfIn PDF document text
    • https://d1b6b380-f15b-462b-86b5-0b089ba7d90d.filesusr.com/ugd/f99a33_5fd0fa9451e54f5f857f02a333281381.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/99c25958-af8b-4dd5-ad3d-9ad54d1eb981/what_causes_a_dryer_not_to_get_hot.pdfIn PDF document text
    • https://aa4a64a1-c69a-4176-9ab9-82648dcabbba.filesusr.com/ugd/70701b_e4b0fab2a85342c49d8568965a0a2ea7.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/2cb986a1-2a49-4d84-9570-154301e0a301/pentair_intellichlor_ic20_not_working.pdfIn PDF document text
    • https://a6f18165-9bfd-46c9-8f51-0ab50cd0b687.filesusr.com/ugd/265c7a_28b7a45eef2243b2bf6c3dd4466aa533.pdf?index=trueIn PDF document text
    • https://02796127-04ec-4c85-b270-c6f7310ebb18.filesusr.com/ugd/ce0e6d_c60b0e25508645478f365e072bfb72ef.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013283.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13283 4872 bytes
SHA-256: 5881243621135814e3984da3e71d16b1d9555b2da44ef9b7701147e0143b8915