Malicious PDF — malware analysis report

Static analysis result for SHA-256 5fd6f6453a8e8f9c…

MALICIOUS

PDF

165.2 KB Created: 2021-06-10 06:32:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 210d3bcb9c3f68481b872ff8c75263ea SHA-1: 70402c90e9f419d490558fafbf14a380084ea4c4 SHA-256: 5fd6f6453a8e8f9c8153405fa3056cbe51dbc50965d3678d764bd562924e421a
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, many of which point to disposable hosting services and are structured as link farms. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a deliberate attempt to create a deceptive collection of links, likely to distribute malware or facilitate phishing. The presence of a URL pointing to 'coretry.ru' with a query related to downloading 'Harry Potter' books suggests a lure to attract users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9558

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/pbw?utm_term=harry+potter+sinhala+translation+books+download PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4500887/normal_600d5a0d5c4ba.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4427287/normal_60225bc6bad0a.pdfIn PDF document text
    • https://xinorexuvon.weebly.com/uploads/1/3/4/6/134608307/wilazukisiniboke.pdfIn PDF document text
    • https://vigegenatiborig.weebly.com/uploads/1/3/0/7/130740049/27fc8ab0d8cb7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4477615/normal_603787c79aef3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4462730/normal_600ad98841771.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4484103/normal_5fec74f8401dc.pdfIn PDF document text
    • https://gakafapokizi.weebly.com/uploads/1/3/5/3/135319358/lizaxog.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4401714/normal_603dc9bc6f181.pdfIn PDF document text
    • https://nilemesobipefuj.weebly.com/uploads/1/3/2/3/132303022/9302297.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446401/normal_6034e0ca85313.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/68ff9a4e-12d7-4861-9077-ff2250459b3a/bloons_td_6_free_download_iphone.pdfIn PDF document text
    • http://ridelox.pbworks.com/f/serial_number_need_for_speed_hot_pursuit_version_1.0.0.0.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f76a337-0bef-4af1-bfc5-ed9b6dfd519c/why_would_my_hp_printer_print_blank_pages.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc9d1933-1e9c-499d-bd97-a666e4ac675e/hoover_windtunnel_rewind_vacuum_belt.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0384cfc0-a9d5-4a62-a35a-56a180211229/forward_start_option_pricing.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4e654f42-ef75-4be0-a85d-4c415e9470b5/resmed_airsense_10_autoset_price_amazon.pdfIn PDF document text
    • http://nerobedevu.pbworks.com/w/file/fetch/144457689/super_bomberman_2_snes_rom_espaol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8ee3efe-9b97-482c-a2b2-225b75d5ff87/dotojonugimu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e84031ff-b492-451f-82f1-2287d43011cf/fl_studio_full_version_apk_free_download_pc.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000253a6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x253A6 5192 bytes
SHA-256: f618d3046d7c63adc14fd8fb99f87dee901a9665f9f4984d14d22bdaf06596a9
font_01_sfnt_off00026546.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26546 12616 bytes
SHA-256: 0c91e15845d0c034a01054d2ea415452a9b50a5ca15f04bf5920de9d032e5443

Open this report in the interactive analyzer, or submit your own file for analysis.