Malicious PDF — malware analysis report

Static analysis result for SHA-256 29dcf004456f3cbf…

MALICIOUS

PDF

81.6 KB Created: 2021-06-10 00:05:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: e21f131f066b942aa28098c227f8e272 SHA-1: d2e2a86f01696366e518ca54ce1b040e72da60e3 SHA-256: 29dcf004456f3cbf9376c6bc289f9a090f63e6eb78336a0fc2ff19a8892fe62b
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6432

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/pbw?utm_term=sao+alicization+war+of+underworld+part+2+watch PDF link annotation
    • https://zibozofos.weebly.com/uploads/1/3/4/8/134896422/vamilokolilibekifij.pdfIn PDF document text
    • https://buromikeraxisam.weebly.com/uploads/1/3/5/3/135323607/vezorevirofug-lozeb-vamori.pdfIn PDF document text
    • https://sobiwololisa.weebly.com/uploads/1/3/0/9/130969717/405e8ea9e34f41a.pdfIn PDF document text
    • https://papunagaku.weebly.com/uploads/1/3/1/3/131384156/39640.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/9f372099-893d-4fa8-8523-878be54ba518/samsung_sm-t350_case.pdfIn PDF document text
    • http://funinupun.pbworks.com/f/brush_pen_hand_lettering_worksheets.pdfIn PDF document text
    • http://bevojoluvu.pbworks.com/f/47482599368.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/78cbb9df-330a-436f-8293-feef7e1cde2c/61239159851.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a34482cb-d8f9-4297-8bdd-44895ab31979/mathematica_5.2_free_download_windows_7.pdfIn PDF document text
    • http://nusuwoxub.pbworks.com/f/4126878863.pdfIn PDF document text
    • http://jorowad.pbworks.com/w/file/fetch/144744279/97923213941.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e8b12366-e0eb-4b98-a9b5-98496f629dbf/java_runtime_environment_1.7.0_download_64_bit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dda96d97-f0dc-47cd-a8dc-d708350613c3/33962974496.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a785fa9d-7827-4e3a-806d-3a6ef2fd5a76/juxajisamikumesixobir.pdfIn PDF document text
    • http://nimulivupale.pbworks.com/w/file/fetch/144627612/58409466505.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7f5c8e10-a6dd-4dd8-8878-c0809e99a2c8/nedajevavopeb.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e7b4f0ab-4c02-4c87-b42c-581813139495/jikinapimitaxetanalekum.pdfIn PDF document text
    • http://bajupuko.pbworks.com/f/bcs_vocabulary_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a1887a43-0efe-4596-aae6-76f431157848/sap_outline_agreement_transaction.pdfIn PDF document text
    • http://febevolojezu.pbworks.com/w/file/fetch/144992847/car_driving_4_mod_apk.pdfIn PDF document text
    • http://javefanudosa.pbworks.com/f/93519756097.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/318acb5f-21b2-4748-bb45-334e28b95beb/73712868396.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f98d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF98D 10436 bytes
SHA-256: 2a079085f217cd72a6d268385d7de48f10c33b65e53d3eebebb5f3b57c450a4c
font_01_sfnt_off00011c64.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11C64 5324 bytes
SHA-256: a50aa69eab94d47752de5f207270a01ceb26ff01b995224f6d752c34114b887d

Open this report in the interactive analyzer, or submit your own file for analysis.