Malicious PDF — malware analysis report

Static analysis result for SHA-256 25867de38052566c…

MALICIOUS

PDF

72.2 KB Created: 2021-05-24 23:46:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: e6941f1d266b7ba5bf0f8470e780e24f SHA-1: 22e87f56447d2e4a8e368b07d04744fb9e05b32f SHA-256: 25867de38052566c94704f58fcba66fedcb7d08bc8e3c72a8fa2276a559e9d38
186 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including ClamAV and an ML classifier, indicating it is likely a phishing or malware distribution lure. The PDF contains a large number of external links, many pointing to disposable hosting, suggesting a link farm designed to redirect users to malicious sites. The presence of embedded URLs and the overall structure strongly suggest an attempt to exploit users through deceptive content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=business+and+its+environment+david+p.+baron+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4454286/normal_6017c64c86f2d.pdfIn PDF document text
    • https://vomomojivebaju.weebly.com/uploads/1/3/4/5/134599032/sawamivamajupalij.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384048/normal_60488ef2141e8.pdfIn PDF document text
    • https://jedijevabepepox.weebly.com/uploads/1/3/0/7/130739982/nizegepowuf-domati-teludodudebud.pdfIn PDF document text
    • https://vudiwajexisipu.weebly.com/uploads/1/3/4/0/134096418/lufexijupot_timeverolig.pdfIn PDF document text
    • https://mevimozow.weebly.com/uploads/1/3/0/7/130776561/6225213.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4473919/normal_602ec5ad870c2.pdfIn PDF document text
    • https://sufivelogazawe.weebly.com/uploads/1/3/4/6/134600369/texeze_tupelixugo_fikobaxususomos_powipowosoxet.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4495988/normal_6024c6117553f.pdfIn PDF document text
    • https://bitujidup.weebly.com/uploads/1/3/4/5/134598072/getasadijipogow.pdfIn PDF document text
    • https://wokulenazaxur.weebly.com/uploads/1/3/4/7/134744474/f45c48f.pdfIn PDF document text
    • https://xominamoluz.weebly.com/uploads/1/3/4/3/134319977/bivuli.pdfIn PDF document text
    • https://kiriwalukejogof.weebly.com/uploads/1/3/4/3/134310578/8f3b6bf7.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4465012/normal_5fdf6099563b4.pdfIn PDF document text
    • https://kazowajobizitat.weebly.com/uploads/1/3/0/7/130775795/balobulo-gimimugirinuz-xevatejaxetavuf-ravalufat.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/620d2a4b-b034-436d-9224-45f89723b698/13679478765.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d01ff192-90d2-4c94-b13d-f106d8bb1afa/bizajunafewi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/50dc6ed6-849d-4c24-98df-6608b07f400e/89452862167.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b7f62fc1-2d46-4776-9c38-5310217beab3/i_cant_find_the_code_for_my_universal_remote.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/91de5d00-a69e-458e-9766-af4bec5cc156/52809210233.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/289e1416-657b-4278-bbfa-ff3da75fb1ef/hamilton_beach_flexbrew_49974_troubleshooting.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ef12b0d-4a07-4c18-a4d7-161e39b637bd/how_to_make_green_eggs_without_food_coloring.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/25db4351-eae7-431d-bd5e-50083373ee09/craftsman_dyt_4000_original_price.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/99238773-e555-4113-9ad0-028d33e20750/college_student_engagement_theory.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a1b96821-9b8f-41e1-bc20-95f0feb05a5e/kudavurazibabuf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9862164d-5952-403d-87ab-305615cb50c0/9462811074.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/497726e1-9af3-48a0-bf81-0884a7a494fe/twilight_saga_eclipse_2010_full_movie_online.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/42e6ab51-8b86-40ac-89a6-854822264bca/pupaxixusububopagexomupoz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b816ce9d-ad49-4ef4-8513-37b4a6799213/97604895957.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da5f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDA5F 5436 bytes
SHA-256: 947147f1f6164c8a0622032d162acaf545e7ee1d2869d65e23121011a074aa1c
font_01_sfnt_off0000ecd3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xECD3 10432 bytes
SHA-256: cb5c028d0c4a378caa02eeb1f91832531598406a229f0ba6148f4823a4235367

Open this report in the interactive analyzer, or submit your own file for analysis.