Malicious PDF — malware analysis report

Static analysis result for SHA-256 45ee399cbc4b8736…

MALICIOUS

PDF

64.0 KB Created: 2021-03-24 23:08:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: e3cc434a6b4987ce68014da02fa12954 SHA-1: 856511f8bfb27d446c92823d2284522e246a48cb SHA-256: 45ee399cbc4b87361e6c9f90e46f9308ebe9a4cc6bc6636ada801cec2f9c6526
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file exhibits characteristics of a link farm, containing numerous external URIs pointing to various PDF documents. The presence of a high number of links and the use of disposable hosting services suggest a malicious intent, possibly for SEO manipulation or to distribute further malicious content. ClamAV detection and ML classification further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8501

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=bhagavatam+book+in+telugu+pdf PDF link annotation
    • https://pusesame.weebly.com/uploads/1/3/4/6/134662227/5340801.pdfIn PDF document text
    • https://mixuvuweti.weebly.com/uploads/1/3/1/4/131483588/2760827.pdfIn PDF document text
    • http://bozesedixek.mywebcommunity.org/how_to_get_gerudo_password.pdfIn PDF document text
    • http://tevalevas.22web.org/33066419616.pdfIn PDF document text
    • https://gidorimafemona.weebly.com/uploads/1/3/4/8/134867851/9560128.pdfIn PDF document text
    • http://lazategomid.scienceontheweb.net/argandoa_macroeconomia_avanzada_tomo_1.pdfIn PDF document text
    • https://turoliletipusu.weebly.com/uploads/1/3/5/9/135969349/5383377.pdfIn PDF document text
    • http://wadupobem.iblogger.org/el_libro_de_los_sueos_nmeros_y_su_significados.pdfIn PDF document text
    • http://wapajojakazewi.iblogger.org/1985315614.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://68fdcf0a-b1f0-4758-9edf-48d2be6d990b.filesusr.com/ugd/ac51ce_7f9a89014329409eb4f77665211ee9b2.pdf?index=trueIn PDF document text
    • https://82cb18f6-4a40-4824-ac11-10070f72ce02.filesusr.com/ugd/5aec95_b6e1c9aea5734aee94923fca88b0058f.pdf?index=trueIn PDF document text
    • http://jedolup.rf.gd/libro_arqueologia_del_saber.pdfIn PDF document text
    • https://f45985d3-969e-4a4b-a16b-f92b7c881388.filesusr.com/ugd/20da2d_485ef1d79bea471f9eb212c56341cd6a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/f34dbfed-8825-4623-a29e-975489eddcc1/53227320702.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a4b78368-0989-4676-a41a-949832141e07/31725716453.pdfIn PDF document text
    • https://229c3593-bb94-4e5d-9b9f-ca3747df48ef.filesusr.com/ugd/145364_b697e167a5104361890561536289ceac.pdf?index=trueIn PDF document text
    • https://ac263381-fdad-4fda-ae78-6df6d71032d6.filesusr.com/ugd/25c42e_b27c10b9f3e24c3cb46553567c11d5f5.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/a7e9bd4f-1253-41b0-842f-1b65be55292d/konobatigubibazaza.pdfIn PDF document text
    • https://592908bf-dd96-48cc-88d9-ffebbdd10d84.filesusr.com/ugd/f34823_bf6a1cf252c442b7914d9149963b837c.pdf?index=trueIn PDF document text
    • http://pomagupivedib.epizy.com/spinal_arachnoiditis.pdfIn PDF document text
    • https://0926596c-b1e6-4473-87d6-fed2e709bfeb.filesusr.com/ugd/e2a635_7284d96d14764853893b412d54a5bf43.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/9df3f0ea-148b-44a7-a269-8b6bfc2d7c4f/autopage_xt-72_lcd.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/79640179-c933-4b5d-9187-5ac44ae544dc/pekagem.pdfIn PDF document text
    • https://46fb9a51-9e16-4ad8-811e-2f7ed01702f7.filesusr.com/ugd/53363c_6035e1d3b40d4737bfd8c1a8e3f4b74d.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2bd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE2BD 5492 bytes
SHA-256: 8cc7bcb902b1a8362f932082cd5785dfebc11b3c00fe6810e85ffef3b3af10c4

Open this report in the interactive analyzer, or submit your own file for analysis.