Malicious PDF — malware analysis report

Static analysis result for SHA-256 316ef16ca820c87f…

MALICIOUS

PDF

96.1 KB Created: 2021-03-11 08:40:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: d5ffe71a7b049a1fd93772bcc4129d08 SHA-1: b16390fc19146d7a54f214a7e45252ab20a03fca SHA-256: 316ef16ca820c87f3841d7b93c35f782183812249d412243eba156c9a902f7bb
134 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains multiple external URIs and is flagged by a machine learning classifier as malicious. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates the PDF is part of a link farm on disposable hosting, suggesting a phishing or malware distribution scheme. The presence of a 'download button' lure further supports this, indicating the document's intent is to trick users into downloading a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=badlapur+movie++300mb PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4449968/normal_6045e42303411.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417818/normal_60348d0c7c51b.pdfIn PDF document text
    • http://tokivaburag.22web.org/atm_complaint_form_ubi.pdfIn PDF document text
    • http://konalofasu.mywebcommunity.org/is_kill_the_irishman_based_on_a_true_story.pdfIn PDF document text
    • http://tuzogat.sportsontheweb.net/zifopenepudewurifuba.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4460457/normal_602648d1e2ee5.pdfIn PDF document text
    • http://kagaromorin.medianewsonline.com/google_account_search_history_delete.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.orgThisIn PDF document text
    • http://www.fontrix.comhttp://www.nhncorp.comIn PDF document text
    • https://uploads.strikinglycdn.com/files/bbff8bb6-9a3e-4560-9064-d420994e8022/beretta_m9a1_shoulder_holster.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d83da416-2ecb-4ce1-990c-d5550120deb9/62906851843.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a1b4c933-d3fb-46c3-a852-446e1fea69b3/wixiku.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/41bd7265-b744-4943-9bf7-5b50add8bdb5/how_to_repair_cracked_pressure_washer_pump.pdfIn PDF document text
    • https://s3.amazonaws.com/savifin/96762851891.pdfIn PDF document text
    • https://s3.amazonaws.com/dotivaf/binalewala_music_sheet.pdfIn PDF document text
    • http://tibobabinenan.epizy.com/10975510857.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/90c99876-54f0-416c-8e0d-fe01d4ff5e15/rojepep.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/45f308ab-5165-4945-971c-b2182d4031df/xibasudiluleror.pdfIn PDF document text
    • https://s3.amazonaws.com/xezujuxoz/26577044526.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ae444ab-4e9e-417c-92aa-68ea2dbd6e28/varizep.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7c3b387e-35e2-4351-bc1a-446ef63ee7a1/sig_p938_holsters_for_sale.pdfIn PDF document text
    • https://s3.amazonaws.com/gudukupir/pomofejalujijijegigo.pdfIn PDF document text
    • http://zejibanunepi.myartsonline.com/what_size_battery_for_2008_dodge_avenger.pdfIn PDF document text
    • http://kababotatage.epizy.com/55059176672.pdfIn PDF document text
    • https://s3.amazonaws.com/sajatesawodiji/dog_vaccination_schedule_in_india.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/340165a1-7ee1-4373-a89c-989a22cec997/define_tribe_in_sociology.pdfIn PDF document text
    • http://sorisavitekinuj.onlinewebshop.net/18276739129.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://scripts.sil.org/In PDF document text
    • http://scripts.sil.org/OFLAbyssinicaIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef3a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF3A 5484 bytes
SHA-256: 7e6859a1ceb5c686ba0aabf847efe88e7ba2b3c0369b24dcbe665fa9097f8ee1
font_01_sfnt_off000101ca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101CA 20968 bytes
SHA-256: 25d2fbfb5dd46bce752f1a10cbb8fe29a5ece10bd9e4a33cfa5ea6c363d8700b
font_02_sfnt_off000121fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x121FD 2276 bytes
SHA-256: fc56fa02dbe3458291c5fb7062dec2b01f2226dd21b4eff9ce88880a69c4a691
font_03_sfnt_off00012bc7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12BC7 11180 bytes
SHA-256: c47ee993e9ef29d14c99baf373cb8a39ec68f10dfe29af915353193e98decfb4
font_04_sfnt_off00015230.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15230 16060 bytes
SHA-256: c8d346df762f100b7f07f64474ebeefa7e764d1f3fb651c1b54482bebfbb2c95
font_05_sfnt_off000166cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x166CC 2056 bytes
SHA-256: 589f2a64e89766a8ae62896ea8444fa1a87810255c984bbc4fd2a260c4929d56

Open this report in the interactive analyzer, or submit your own file for analysis.