Malicious PDF — malware analysis report

Static analysis result for SHA-256 32a2782e9d4a9303…

MALICIOUS

PDF

81.5 KB Created: 2021-05-21 11:58:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: f595fedfcd65635aae48e9fd378cad35 SHA-1: e8594f4be2958d5fd128ef36cc79cece9ca5f72b SHA-256: 32a2782e9d4a9303354f3930d9b9888479e20f5dcd58c1a7b916ec580fb5ddfc
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by ClamAV and ML classifiers, exhibiting characteristics of a link farm designed to redirect users to external malicious content. The document body, though heavily obfuscated, contains references to 'free download' and technical writing, likely serving as a lure. The presence of numerous external links, many hosted on disposable domains, strongly suggests a phishing or malware distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7692

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/strik?utm_term=technical+writing+by+bn+basu+pdf+free+download PDF link annotation
    • https://zudiwimuda.weebly.com/uploads/1/3/1/4/131438079/cd63d68264fab.pdfIn PDF document text
    • https://wekexobesunolo.weebly.com/uploads/1/3/0/7/130739288/caddbd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370059/normal_606306e69efe7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4453721/normal_5fd91523ba821.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366009/normal_6065105000d47.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4370764/normal_5fccec7028542.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448121/normal_606cf5aded3d2.pdfIn PDF document text
    • https://kivobuduzuv.weebly.com/uploads/1/3/0/7/130739084/8bbfc.pdfIn PDF document text
    • https://samabuwe.weebly.com/uploads/1/3/0/7/130739499/4532067.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4485436/normal_6069bf60cc28d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4493597/normal_5ff7703d5beb6.pdfIn PDF document text
    • https://purabadixubemik.weebly.com/uploads/1/3/5/3/135399060/tonawigil_jokup_weluxoz.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/lixasifasi/megekugavuro.pdfIn PDF document text
    • https://s3.amazonaws.com/bitajemisajoz/5744107092.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ca58f7f-c585-4e20-8091-195fae051eca/dell_venue_8_pro_change_battery.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ebc1bbac-d102-4d1a-8099-00bff63c9dbd/79372180538.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9912e243-21e9-4891-a68a-51aa64e63756/jazasibuv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa95d4d1-4789-476e-9aa2-3f558568cd7f/truyn_kiu_ca_nguyn_du_lp_9_tc_phm.pdfIn PDF document text
    • https://s3.amazonaws.com/wegemebufojafak/muziz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/59dd6136-43fa-4eb4-9bef-49f51702ed7f/mojopakexe.pdfIn PDF document text
    • https://s3.amazonaws.com/vinejivunitego/advantage_of_balance_sheet_income_statement.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00012462.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12462 17056 bytes
SHA-256: de3fb736f5607487c068e19d0351aa1d9777d3a727481056ca44fcefcff2606f
font_00_sfnt_off0000ec1e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEC1E 5584 bytes
SHA-256: ad03e0ee91d7e772739ada6b30c625bc095fa6d08b8cf43b26ce4ec4e3997e93
font_01_sfnt_off0000ff15.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF15 10844 bytes
SHA-256: 3275aec74d398d1f55d2a1e5deb940318a09979ea529db66e5e63c887c180b96
font_03_sfnt_off00013c89.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13C89 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3

Open this report in the interactive analyzer, or submit your own file for analysis.