Malicious PDF — malware analysis report

Static analysis result for SHA-256 6fbabf94073f89ba…

MALICIOUS

PDF

92.2 KB Created: 2021-04-03 12:50:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: ecdbf8cff3b813819342e9610434b58d SHA-1: 7246f214a61fb017b75b92b10c3e8382effe0f6a SHA-256: 6fbabf94073f89ba97ccb30cfc8bf1cc76e08462ca12f709f01c4ee15ebd73da
244 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links pointing to various external PDF files hosted on disposable domains, a technique often used for SEO manipulation or to distribute further malicious content. The presence of a malicious redirector link and the ML classifier's high score further support its malicious nature. No scripts were extracted, but the structure and embedded links strongly suggest a phishing or content distribution vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/wix?keyword=arabic+calligraphy+generator+online+copy+and+paste In PDF document text
    • https://cdn-cms.f-static.net/uploads/4420454/normal_605c1c0a4c3a6.pdfIn PDF document text
    • https://pinuwolaterogus.weebly.com/uploads/1/3/5/9/135957395/1084fcac0c5e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4468828/normal_605c715e6cfd5.pdfIn PDF document text
    • https://jagotizepevex.weebly.com/uploads/1/3/4/4/134464701/c14e8a5.pdfIn PDF document text
    • http://about-central.com/75313527200lulb7.pdfIn PDF document text
    • https://zisibunekotif.weebly.com/uploads/1/3/4/9/134902626/355706.pdfIn PDF document text
    • https://cdn.sqhk.co/pixafosabow/80Vt8Ha/getosibaxexopuzodoxam.pdfIn PDF document text
    • http://lezapodilep.22web.org/davis_carvedilol.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393028/normal_600bb15ad7286.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470537/normal_604ce5897395a.pdfIn PDF document text
    • http://fruit-ita.fun/kujotajoxubapibegebire9oap.pdfIn PDF document text
    • https://cdn.sqhk.co/tivinarafuvu/hijjvgg/stormhill_mystery_family_shadows_bonus_chapter_walkthrough.pdfIn PDF document text
    • https://kulipimeg.weebly.com/uploads/1/3/2/6/132695915/210a834f78ada5.pdfIn PDF document text
    • http://momsmall.space/word_crazy_free_downloadq6r8a.pdfIn PDF document text
    • https://cdn.sqhk.co/kuretunaba/cGZidWX/detailed_lesson_plan_in_science_free_download.pdfIn PDF document text
    • https://cdn.sqhk.co/rowazazapa/dhfvjjH/free_editable_checklist_template_powerpoint.pdfIn PDF document text
    • https://fukoxifixe.weebly.com/uploads/1/3/4/4/134460993/suzamazum.pdfIn PDF document text
    • https://zejafopo.weebly.com/uploads/1/3/4/5/134505046/jafaguxowi.pdfIn PDF document text
    • https://tuvopezape.weebly.com/uploads/1/3/4/7/134712323/kerunox.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4485810/normal_605d86067e662.pdfIn PDF document text
    • https://cdn.sqhk.co/mikitikotak/NuFhiC0/netflix_android_tv_apk_mirror.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://vuvodulewuxewe.epizy.com/piano_chords_sheet_music_free.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed3c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED3C 7000 bytes
SHA-256: 54ea47d1788d274a57e285cf9020f2d857eef8d5d7d54aee237c0b9277f4040b
font_01_sfnt_off0000fed2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFED2 5564 bytes
SHA-256: a1c65a1b1e7f4ca564d6e65d42e61904afbf7a8d331ea1fc27a427fe8d5c5502
font_02_sfnt_off000111b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x111B3 3500 bytes
SHA-256: 094aa036cb230e0d7ce50de2410af8367843139688d2d7a6c1c28cfcabbe9697
font_03_sfnt_off00011ed6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11ED6 12300 bytes
SHA-256: 86624608c583e706e3835a8747015c94988e30456bf35ed4e5a9216b76f511be
font_04_sfnt_off00014799.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14799 16836 bytes
SHA-256: cc0cb89d0eea04a0080ad5e5c19f7a7d2456b9e7b6e660575e1b289caec83016

Open this report in the interactive analyzer, or submit your own file for analysis.