Malicious PDF — malware analysis report

Static analysis result for SHA-256 77e422e6d7e78634…

MALICIOUS

PDF

173.5 KB Created: 2021-03-08 22:00:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: 5f42aa67553eab1cb5bf86c56fb13c1b SHA-1: a904e430e57ee7afe3fcdf5e1f0a7f9eddf4c57b SHA-256: 77e422e6d7e786347717ee57c27e6ef910839efce4ff6321ac6f7facbda0e0e7
134 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs pointing to disposable domains, characteristic of a link farm designed for phishing or malware distribution. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' specifically flags this behavior. While no scripts were extracted, the presence of external URIs and the ML classifier's high confidence score indicate malicious intent, likely to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9711

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=les+miserables+musical+plot+synopsis PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4377924/normal_601be3dd0610c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4412391/normal_5ff901de2a7c4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369914/normal_60297852a4eb7.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4426407/normal_5ff92384d8053.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387919/normal_6022a0d3b7cbc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4409123/normal_5ff77644bba34.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4383302/normal_600736b69e181.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4472185/normal_5fc6007317d4a.pdfIn PDF document text
    • http://site-shop.xyz/mgmt614_handoutsli9ug.pdfIn PDF document text
    • http://namedaun.fun/22600954921l2efx.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408343/normal_5fd2cacab4e05.pdfIn PDF document text
    • http://blaugrana.ru/237461691443unc4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4419452/normal_5fd9ae3b34e18.pdfIn PDF document text
    • https://cdn.sqhk.co/bujasugawo/zic7rgc/79398765846.pdfIn PDF document text
    • https://cdn.sqhk.co/jokalirubore/cPNKgeI/hocus_pocus_2_release_date_uk.pdfIn PDF document text
    • http://detonic-ro.website/principles_of_mathematics_10_textbookolc2y.pdfIn PDF document text
    • https://cdn.sqhk.co/dinigivo/hhh7ic1/cafeland_world_kitchen_free_download_for_pc.pdfIn PDF document text
    • http://prosucre.pro/dbt_bpd_treatment5rh7x.pdfIn PDF document text
    • https://cdn.sqhk.co/veletafi/iejihcy/30907775443.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383922/normal_6043103dcec12.pdfIn PDF document text
    • https://cdn.sqhk.co/jofijoju/fehekgf/75059023698.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417205/normal_60192c0d80c12.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/34da7964-bf7f-4b8a-ae99-e9860d7fe185/88823437914.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/48a79910-d12a-452b-b6ff-9d7b4a8c2c13/13476702162.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dc4a36bd-7b97-4488-bb8d-88b6697b9077/how_to_apply_hair_color_to_gray_roots.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d842d290-2a0c-4a91-92ba-834cd04b6e4d/macbeth_act_2_quotes_explained.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00024480.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x24480 3988 bytes
SHA-256: 7badc3bb4aa1d70911246cd68888f6e3c9fbf2645f5c9453696a7cfcc35afe8a
font_01_sfnt_off000252a4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x252A4 5260 bytes
SHA-256: f7f7bdfe8f33db00a379139ab5cf29b6ef6a1281196b289c2f45b997229f082c
font_02_sfnt_off00026476.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26476 12636 bytes
SHA-256: cd4686f685037ed608f8386fb0526529c5ab757d3b590d1f71f872b47058ed43
font_03_sfnt_off00028ecc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x28ECC 16292 bytes
SHA-256: c07ac580b7df6a24073ec81157818cfbecb33716234d40393b5d34b537561dcf

Open this report in the interactive analyzer, or submit your own file for analysis.