Malicious PDF — malware analysis report

Static analysis result for SHA-256 06f950cdee661860…

MALICIOUS

PDF

99.4 KB Created: 2021-06-10 00:42:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-13
MD5: 1f6784149e1bbf41f248f0bbae148df7 SHA-1: 7d416a7329e4e52828bb953b28d5a4ff510d1c7f SHA-256: 06f950cdee661860815815cb822b659b281ce4b82aa5c62d60f97cf0990bf68b
186 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many pointing to disposable domains, indicating a link farm or SEO spamming operation. The ClamAV detection and ML classifier strongly suggest malicious intent, likely phishing or malware distribution. While no explicit script was found, the PDF structure and embedded links are indicative of an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/123?utm_term=audio+songs+tamil+songs PDF link annotation
    • https://vigekajabaka.weebly.com/uploads/1/3/4/7/134708837/982dc0633a0f207.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://papoxuva.pbworks.com/w/file/fetch/144829881/54304056778.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a2f2bae7-1056-4541-8de5-07781603f45e/latin_american_city_model_definition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a0f60dd6-bbf4-4ac3-be54-cdc908b1efb7/les_registres_littraires_tableau_rcapitulatif.pdfIn PDF document text
    • http://ziludezubeju.pbworks.com/w/file/fetch/144955071/gurivi.pdfIn PDF document text
    • http://lekipirunezi.pbworks.com/w/file/fetch/144415656/how_to_make_a_simple_electric_circuit_with_safety_pin.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e099d320-1df4-41d8-8fe6-cad453560a82/mechanical_drawing_book_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b68ee13c-b55c-41ed-ac7b-98daf89621af/pl_sql_tutorialspoint.pdfIn PDF document text
    • http://bomasasawavi.pbworks.com/w/file/fetch/144840669/66898582921.pdfIn PDF document text
    • http://gupipax.pbworks.com/w/file/fetch/144897417/photoshop_2020_crack_for_mac.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2aa87b9d-1a0a-40ec-9b3a-02461447b505/ge_roaster_oven_chicken_recipes.pdfIn PDF document text
    • http://nugewil.pbworks.com/w/file/fetch/144938787/crash_bandicoot_2_download.pdfIn PDF document text
    • http://wuxikadafi.pbworks.com/f/masijaverafep.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d1cda881-2b65-4c69-a61e-9de5079b3024/a_writers_reference.pdfIn PDF document text
    • http://depowota.pbworks.com/w/file/fetch/144500313/eng1503_assignment_2_answers_2021.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00016d8c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16D8C 6600 bytes
SHA-256: 01b25b72209824a00bb07add26b51821b7f6ca418a62f992f8503a0b63c018c7
font_00_sfnt_off0000e3a8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE3A8 6476 bytes
SHA-256: 5c96381b2956ba85bdc606e02b4bc67750563a6a571ffb0d67253edb336a5a64
font_01_sfnt_off0000f37d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF37D 3696 bytes
SHA-256: 8767fb440bf141543467bbd2922fdabc15280197ef06ca7b77c01abc2064788f
font_02_sfnt_off000100ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x100BA 5040 bytes
SHA-256: 05c40a5efed3e672515b95e0b9c4891cd9ef4204d1a930c774012c9235e488b7
font_03_sfnt_off000111c8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x111C8 5300 bytes
SHA-256: aa70f9fc723c378c7957526377e30ca38d8dae1b0243b19a07a81bba2a17ff8f
font_04_sfnt_off000122c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x122C2 2684 bytes
SHA-256: b2f790c6dbf0ba8e182e150b825650c59cabe9454f34d51eaac39825fc75d302
font_05_sfnt_off00012e69.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12E69 12236 bytes
SHA-256: 8ec9437f74ab75d1ea87ddf2f8ec8a06eec1577f6c838135e90c8e4021e1ae25
font_06_sfnt_off00015776.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15776 16488 bytes
SHA-256: 80be93857c82f9cd5c82e96270bcc04d003d91d413095c80f2f6c72d0aafd6e2

Open this report in the interactive analyzer, or submit your own file for analysis.