Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e04a66f6d40604d…

MALICIOUS

PDF

79.4 KB Created: 2021-03-13 20:56:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: 96336652efb2a8aef1b5def596c5bac2 SHA-1: 196bfe5e1caa2722bd7acee95a5ff3e25b0fcbc0 SHA-256: 4e04a66f6d40604d690460a5eb838d09aa9b37270486297ff420b09ba339c15f
312 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.007 JavaScript

This PDF file is identified as malicious by multiple critical heuristics, including ClamAV and an ML classifier. It contains a link farm with numerous external links, some pointing to known malicious redirectors and one impersonating Apple for credential phishing. The presence of a 'download' button lure further supports a malicious intent to trick the user into interacting with the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://mubisajapesufu.weebly.com/uploads/1/3/4/6/134620746/wotamenoj.pdf.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/wix?keyword=tints+tones+and+shades+worksheet In PDF document text
    • http://fupemagis.mywebcommunity.org/exercices_corrigs_atomistique_mpsi.pdfIn PDF document text
    • https://mubisajapesufu.weebly.com/uploads/1/3/4/6/134620746/wotamenoj.pdfIn PDF document text
    • https://xapugugividus.weebly.com/uploads/1/3/5/2/135298581/dedak.pdfIn PDF document text
    • https://falosaxosudo.weebly.com/uploads/1/3/4/0/134017699/tadixalonido.pdfIn PDF document text
    • https://mexukisigugat.weebly.com/uploads/1/3/4/7/134702857/dosek.pdfIn PDF document text
    • http://kofojoxake.mygamesonline.org/hatha_yoga_poses_chart.pdfIn PDF document text
    • http://reguvixelupuj.iblogger.org/93067772080.pdfIn PDF document text
    • http://bibuzikufaje.mygamesonline.org/characteristics_of_a_good_leader_essay.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://gidubabe.myartsonline.com/supeferidijezakepuk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e0e0ed94-8e34-4fc6-b13a-15f8d533ffdc/resumen_por_capitulos_del_libro_la_casa_de_bernarda_alba.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/49130936-1c9f-421d-b173-e7352bd6653b/ups_apc_br1500gi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f8f73142-5d05-4cda-9c7b-ca0446ce4eed/what_is_the_difference_between_lc9_and_lc9s.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/81fcb642-3652-4178-8e17-43fee1c009f2/nilutabovokafosikepob.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/faab4684-6a5d-4d4e-a006-8155767cbc7b/red_piebald_mini_dachshund_for_sale.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/583f3f70-429a-4000-958d-d89e222920f0/tableaux_de_provence_scribd.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01f9bf21-a7e2-4eef-9f45-54d43d8c6bfd/functional_family_therapy_definition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9604832d-24ad-4422-b7ed-077b826ad532/sole_f85_treadmill_weight.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/00d63831-2e37-40a0-807d-70c69028df9e/zomukigedo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/07419941-bd5b-4dff-869f-32a6007fe50a/transition_words_for_conclusion_college.pdfIn PDF document text
    • http://fubaragete.rf.gd/accessory_organs_of_the_digestive_system.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/214bfb17-296d-4657-bc22-694da99f51ff/8430147428.pdfIn PDF document text
    • http://lobopekogolo.onlinewebshop.net/81056172821.pdfIn PDF document text
    • http://suginuzebaluwom.rf.gd/syntax_tree_diagram_examples.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e93c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE93C 4772 bytes
SHA-256: 76b371f42629683b1972e0d37c782ff6b8f54bfa1f552c672fd863b9d214df15
font_01_sfnt_off0000f973.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF973 11240 bytes
SHA-256: b12040dcc32bcb3ba0da3c26d00a84a1ff66d6becc067f6fed457c392e2f1518
font_02_sfnt_off00012006.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12006 4324 bytes
SHA-256: 1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e

Open this report in the interactive analyzer, or submit your own file for analysis.