Malicious PDF — malware analysis report

Static analysis result for SHA-256 109cf5b115a3facb…

MALICIOUS

PDF

68.1 KB Created: 2021-03-11 22:02:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 006e821768b4e1013fe4fc9fd604d389 SHA-1: 2e7fd7e91e54ec9deb4d93cc53821e2384058321 SHA-256: 109cf5b115a3facbcf6d3cd927dac0b575b486475b645687cf92c339256240cb
154 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one prominent URL leading to a domain designed to mimic search results. This suggests a phishing or SEO poisoning attack to redirect users to malicious content. The ClamAV detection and ML classifier further support its malicious nature, indicating it's likely a phishing or trojan delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8464

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=ambrose+bierce+chickamauga+pdf PDF link annotation
    • http://pakirekugep.scienceontheweb.net/41384206265.pdfIn PDF document text
    • http://gifagudilul.mypressonline.com/3659141147.pdfIn PDF document text
    • http://xutifufaxe.mypressonline.com/cuentos_latinoamericanos_cortos_de_terror.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/xuvamuba/vidya_vox_kuthu_fire_mp4.pdfIn PDF document text
    • https://fa90eb46-aa9b-4fd1-a2e8-e903ec8e50a4.filesusr.com/ugd/575fb0_bc7e1d2c276f46ef9a8adeb41ebf4d6d.pdf?index=trueIn PDF document text
    • https://4adff18d-dc39-4349-be2c-eeb12737f1cb.filesusr.com/ugd/9117e0_c22eefe0c7414a0989752c0a7653acfb.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/2bd1afa0-7ffa-491c-95cb-e47c1bf062da/the_tale_of_peter_rabbit_chapter_1.pdfIn PDF document text
    • https://ba30dffa-51fe-4caa-9472-6f142403a9bb.filesusr.com/ugd/c2007e_bcb34adc6e91455fbff1b29e8576a06c.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/d81875a5-29b2-4102-bdb4-241b7a3de57a/94322223194.pdfIn PDF document text
    • https://s3.amazonaws.com/gagagakigibapo/disney_theme_park_map_orlando.pdfIn PDF document text
    • https://9849c7ec-8b19-4b81-9a64-db2537ea7c40.filesusr.com/ugd/97b1c0_2a91668b2e5d45e799aff86ba389e9df.pdf?index=trueIn PDF document text
    • https://bcd7deca-fd5d-492b-a220-d373ca515bc9.filesusr.com/ugd/12f4eb_986b4ceca17240d4bb689de9aff2e77f.pdf?index=trueIn PDF document text
    • https://4590046d-f0a9-4171-b8a0-56ff8c1fe63c.filesusr.com/ugd/0bfb20_1aeba8d2bcfe4457aabcd0a817435a73.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/e208c81e-90d5-4442-8851-9f3064bc7fa6/90032247549.pdfIn PDF document text
    • https://s3.amazonaws.com/dobikasukavu/12321002615.pdfIn PDF document text
    • https://73e25548-3913-4bbb-aa69-a1b25f69568d.filesusr.com/ugd/cece23_42d448ad56014190a481ba90c369b11b.pdf?index=trueIn PDF document text
    • https://8ab8d0a6-ebcf-4503-ac90-3c5d9a0926ce.filesusr.com/ugd/8585d4_84258d32a15e4f8ebcaf45baf00b97dd.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/polexebuj/como_trabajar_autoestima_en_adolescentes.pdfIn PDF document text
    • https://s3.amazonaws.com/taguxif/76640334666.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed3d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED3D 5424 bytes
SHA-256: 77aa11edd1abc57852b8b0ba17b91771a93cd570196099d49f61faa91c91cdda

Open this report in the interactive analyzer, or submit your own file for analysis.