Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bc6c290ec2dd2cd…

MALICIOUS

PDF

71.9 KB Created: 2021-03-14 02:06:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 4ba3165cd902d5ef54bb95b3161de46d SHA-1: 926fbc13748b5f63473a27e9a1e4f401f2858a1d SHA-256: 6bc6c290ec2dd2cd9cf69d3e7ae23ebe4840f6cc3c4751909404b3b94f12293e
66 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=medea+euripides+rex+warner+translation PDF link annotation
    • https://cdn.sqhk.co/loganidob/Jhagfgh/ark_wyvern_eggs_not_spawning.pdfIn PDF document text
    • https://cdn.sqhk.co/posiraki/gNhiibL/smith_s_2_step_knife_sharpener_instructions.pdfIn PDF document text
    • https://cdn.sqhk.co/rorajakura/8jgUgdO/cartoon_mobile_screen_wallpaper_download.pdfIn PDF document text
    • https://cdn.sqhk.co/tofatuxurejo/fNjjYJV/hungry_shark_world_map.pdfIn PDF document text
    • https://cdn.sqhk.co/sepufaziru/gqWjijg/trick_art_dungeon_mod_apk_rexdl.pdfIn PDF document text
    • https://cdn.sqhk.co/xumesapaxoku/digEOii/50884075054.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://db6d201d-bdff-4648-9982-d9cfaac7639e.filesusr.com/ugd/98857b_29ff7d10dc1c47ec8f1ec5f2b68c25c9.pdf?index=trueIn PDF document text
    • https://80b1f93a-fe74-4439-a81d-34814fa7a505.filesusr.com/ugd/e56fe2_e6c0c76414d5483fa41b268199994ab2.pdf?index=trueIn PDF document text
    • https://113c517c-d7b0-4b36-99d7-6722bcb7ef36.filesusr.com/ugd/8e66a5_dd5adf634c264cb9a837bc92e390d7ad.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/f041064d-150a-4a64-80b2-535b2225868f/python_libraries_for_spatial_data_analysis.pdfIn PDF document text
    • https://f26e6bca-ce10-4524-9610-ed5ef7c8d48b.filesusr.com/ugd/ac8c68_8c3b31e21a5a4cf19bbbc9a4a297d339.pdf?index=trueIn PDF document text
    • https://80820154-e864-4b0c-832b-212b24169927.filesusr.com/ugd/c12414_e34c8972a64147eb83ebf44bdbf694b7.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/9c6bf06e-dac6-42ab-a20a-0aed635003cd/zovoxoj.pdfIn PDF document text
    • https://8a833fea-7c9a-4d2e-a5a7-d3590f42a3e5.filesusr.com/ugd/9aab09_35364ced8b93454587708cdfc4576887.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4439103-eaac-4035-b3d7-9a8ae182dfb6/liduzolifipitutirumu.pdfIn PDF document text
    • https://86908e24-11f3-43a1-9346-bf531f45ee0b.filesusr.com/ugd/97493d_bc61e49210d748c18f310d28e47a1f9c.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5d25f1af-7fbb-4797-b362-a1b4407bddc9/jupevorukerulavuv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/03d8bebd-edde-40a8-91e5-05501f78582b/jinem.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/29357964-97f7-4b7e-9989-7c5316239ea0/how_do_i_fix_my_samsung_battery_not_charging.pdfIn PDF document text
    • https://eaae50f7-3b1c-4f1b-9b3c-e2a48377569d.filesusr.com/ugd/b96e41_54ca77c23b3e4a9ca30e29a45d927fab.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd3c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDD3C 5120 bytes
SHA-256: 60756cd63fe1d29930b106f40f781158a3063a098f0d2b83232bdb9754909fea
font_01_sfnt_off0000eed2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEED2 10408 bytes
SHA-256: 8cd59e2515e20997687840828d0b48fe939a5e54a9863dae14d02453a08e7ef3

Open this report in the interactive analyzer, or submit your own file for analysis.