Malicious PDF — malware analysis report

Static analysis result for SHA-256 40b56923258d469d…

MALICIOUS

PDF

49.7 KB Created: 2020-11-09 14:36:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 9657874818f86341aa95ab35b920fc0f SHA-1: 5cf1bd714f01188c0efbb9ba2c8b9c3827c6b489 SHA-256: 40b56923258d469df7921e601c5d6a04b96649993a5a5a2ff0ece00db2073417
186 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by an ML classifier. It uses brand-impersonation credential phishing. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://wixurawitubeza.weebly.com/uploads/1/3/4/3/134319602/3656474.pdf.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/123?keyword=world+of+tanks+blitz+account+for+sale PDF link annotation
    • https://wixurawitubeza.weebly.com/uploads/1/3/4/3/134319602/3656474.pdfIn PDF document text
    • https://muwamobole.weebly.com/uploads/1/3/4/3/134356931/3599399.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4478134/normal_5fa57c49e6414.pdfIn PDF document text
    • https://batagokefo.weebly.com/uploads/1/3/1/0/131070859/kepesawes.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4426701/normal_5fa110d6ea821.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375351/normal_5f8dddc90323a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4401976/normal_5f93dce38626f.pdfIn PDF document text
    • https://varipejat.weebly.com/uploads/1/3/0/7/130739080/pevoxiravuwe.pdfIn PDF document text
    • https://livekurot.weebly.com/uploads/1/3/4/4/134443702/pijolijepa.pdfIn PDF document text
    • https://robubafo.weebly.com/uploads/1/3/4/5/134588337/tajol_remogimoxaparuf_jotuzun.pdfIn PDF document text
    • https://sabitafev.weebly.com/uploads/1/3/4/3/134308069/rebenijivuz_napiridunitik.pdfIn PDF document text
    • https://tojaluteder.weebly.com/uploads/1/3/4/3/134384479/e1dcc985f15.pdfIn PDF document text
    • http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f3c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5F3C 2368 bytes
SHA-256: da36d31bbcd46698d81721a5ff45e210e517c31a4fdea327c39a35d87995264d
font_01_sfnt_off000069d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x69D6 5284 bytes
SHA-256: f5f5188c79fe6f54a6fd77b247978f0ae67f47f0534d7d5a9da74dc53a222233
font_02_sfnt_off00007bf4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7BF4 11264 bytes
SHA-256: f6fa7ab13e456b5f3f670b2a25bb71bd0ebca6a0edf32b67184a656dc6ad1651
font_03_sfnt_off0000a251.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA251 16688 bytes
SHA-256: b3e0061e1c609364af01d8ec0cd05a9ed48c9efa4cc97b6ec69446b74c6fd227

Open this report in the interactive analyzer, or submit your own file for analysis.