Malicious PDF — malware analysis report

Static analysis result for SHA-256 399fca044bb31229…

MALICIOUS

PDF

76.2 KB Created: 2021-06-07 08:27:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 3b377cf479eb0c71502ba18474647f9e SHA-1: a44835ad7c83155b97babeff4295905fb97d5a6c SHA-256: 399fca044bb312297ce31655e3f449398ea3cb028a70a0b5fc2c3117c24f2b76
154 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8609

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wastran.ru/pbw?utm_term=transition+words+sentences+worksheets PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4410217/normal_5ff1e3e7c7dc2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4418579/normal_60281d57736f0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367624/normal_60415d0649804.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4420239/normal_60b806447a9a6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4455886/normal_6046002db169c.pdfIn PDF document text
    • https://lufotoloxa.weebly.com/uploads/1/3/4/3/134318907/1a88be6a5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4467036/normal_602982dd91684.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375203/normal_6041e2000c10c.pdfIn PDF document text
    • https://nanupubixo.weebly.com/uploads/1/3/0/9/130969545/7802762.pdfIn PDF document text
    • https://nurixuwabojud.weebly.com/uploads/1/3/4/5/134587723/mojot.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4456728/normal_606e3058acf42.pdfIn PDF document text
    • https://guduzuzej.weebly.com/uploads/1/3/1/6/131606672/5e6f4c3738b8.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a0523a9-b83d-4c92-91b2-91a568c7c3aa/81425553203.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/953c4787-84b5-4313-88b2-5a2100512f4a/curriculum_vitae_formato_para_rellenar.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01436137-3c4d-4738-84d7-9b198043c0fb/how_to_program_vector_to_talk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/db181831-2525-4b67-bc0b-c3c54d43da17/the_infancy_gospel_of_thomas_full_text.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f3f4d8f4-3797-4061-9cc1-0e5f37e35b53/26402386826.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b124fae7-43a6-4609-a3af-897c0938f149/90847751010.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/035d28bd-7a01-46c3-b4a4-7350a573a5b2/how_often_does_gamestop_restock_consoles.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6964a53a-e127-46f3-84c9-2919f3edc190/bibopilejorinaxakax.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/db5965fb-fe8b-4cc6-b173-b7bcf19e05b1/ashab_e_kahf_in_urdu_part_14.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8f10affe-b17f-4d08-8308-61eb8cbc0df8/34844177536.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fee7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFEE7 5100 bytes
SHA-256: d4ef0d915d65cc527a02e55d82b04063634f75e1ddcb92bc5324a3453d4d785f
font_01_sfnt_off00011049.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11049 10568 bytes
SHA-256: 2bd63fc3c43b189e262fca9de2cc229d088c4bf3cebd990d94b4e429ab41ca2c

Open this report in the interactive analyzer, or submit your own file for analysis.