Malicious PDF — malware analysis report

Static analysis result for SHA-256 5bb945472d9a62eb…

MALICIOUS

PDF

136.5 KB Created: 2021-04-04 22:33:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 76ef0cbb3b3fd9e8f5a0faf82743b392 SHA-1: dcb020e5a78ca45d5125e70565836e0ae6d3852c SHA-256: 5bb945472d9a62eb906daff27291fd5f25f5a4de814ca387430d90a4ca0616c4
134 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm and presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9844

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/aws?utm_term=gerund+worksheet+with+answer+key PDF link annotation
    • http://mebelrostov.ru/253172140076c6jn.pdfIn PDF document text
    • http://sparzha.club/baby_girl_nike_shoes_australiaw5w1j.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446388/normal_5fd76d204ac67.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4405903/normal_601a2c250d403.pdfIn PDF document text
    • http://crawlmqyu.space/the_tempest_paraphrase_downloadfdpim.pdfIn PDF document text
    • http://republvinb.fun/46720180534it9l6.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4380237/normal_5fd0526a608ba.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4458840/normal_60580934f09e9.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://kugezukakig.rf.gd/zepibevakefobewutegofo.pdfIn PDF document text
    • https://s3.amazonaws.com/muvemasoxaji/thomas_cook_cash_passport_information.pdfIn PDF document text
    • http://pimizebogo.rf.gd/bifedetug.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b8e31e61-a4b2-46b3-9d82-e0a51e2aba59/47263752305.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a9db0892-2d97-4ad9-b238-5e8381f263c5/90883990494.pdfIn PDF document text
    • http://pemudabapixowu.epizy.com/the_facebook_sonnet.pdfIn PDF document text
    • https://s3.amazonaws.com/tokit/osi_model_key_features_protocols_and_standards.pdfIn PDF document text
    • http://ragigixo.epizy.com/magazine_cover_template_png.pdfIn PDF document text
    • https://s3.amazonaws.com/fogibi/96736467307.pdfIn PDF document text
    • http://wetowotupime.rf.gd/will_one_punch_man_get_a_season_2.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/211153c4-9e0d-4aa4-9ee8-f56bf15a5d4a/mary_poppins_returns_cameos_balloon_lady.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5ba8cb0c-0fd6-4f35-a759-b5cf17f38dca/samsung_bd-f7500_specs.pdfIn PDF document text
    • https://s3.amazonaws.com/tunenijexe/definisi_platform_adalah.pdfIn PDF document text
    • http://nojumajemipi.rf.gd/ranajovuvob.pdfIn PDF document text
    • http://terajupatasan.rf.gd/bukuvawupaxudozelazif.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016607.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16607 6632 bytes
SHA-256: 380f6cd4d79fb3c1b88d08f1f1aeaf03d61b7551b37f11ea293177a999b794c3
font_01_sfnt_off00017663.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17663 4988 bytes
SHA-256: 6fbba4a169ea6cf3231e3c805d5db1b8431b213bb54fbe1d68e6906d99c45661
font_02_sfnt_off000187c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x187C2 5052 bytes
SHA-256: d7d91dcac03ca5258fe6a749de6313b92a94afd7eb0157f8d4ae691d1b9e4de6
font_03_sfnt_off00019901.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19901 20760 bytes
SHA-256: cd9f0d406a08a784069d22a262bebc066a09e1160e07066fd63b98207d0e6ae1
font_04_sfnt_off0001d7af.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D7AF 18288 bytes
SHA-256: ebcd3bd88b2fd72bef8c8e293cb737057f05b923e6030a68891d799accda84f4
font_05_sfnt_off0001f449.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F449 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3
font_06_sfnt_off0002020c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2020C 6340 bytes
SHA-256: eaa8c3b5218b364352ff1e1bc1eaa67b328575e468298da5b1fd3e929967321b

Open this report in the interactive analyzer, or submit your own file for analysis.