Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d3519ba65cb387a…

MALICIOUS

PDF

72.1 KB Created: 2021-03-22 08:01:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: 17036b9db034fc1dba09804b5187a600 SHA-1: 594ec5576d283b84d44dfc2c8c5d9e8ebc973280 SHA-256: 7d3519ba65cb387aaac161759b8e1e24dca02c63ade5c4437a9fafc1a50be2d8
126 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=dnai+timeline+a+scavenger+hunt+answers PDF link annotation
    • http://sodaapp.club/dipobukepodummcpsf.pdfIn PDF document text
    • http://lnstagram-verificationbadgeform.com/does_every_cards_against_humanity_have_a_secret_cardy3fkr.pdfIn PDF document text
    • http://drovazvenigorod.ru/what_are_the_types_of_organizational_structures_briefly_explain_each9noy7.pdfIn PDF document text
    • http://firstdoctor.xyz/bamutarawimajogulixifarw8s.pdfIn PDF document text
    • http://hookup153.site/metamorfosis_mariposa_para_coloreareegs1.pdfIn PDF document text
    • http://my-favshope.online/52250660888hhncw.pdfIn PDF document text
    • http://seamanygau.best/manual_de_carreo_para_nios_amazonpi0ze.pdfIn PDF document text
    • http://wojazilasifef.iblogger.org/comment_assembler_deux_mac.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://tozurunoxutasu.epizy.com/gejabuzuxizolipenitid.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3ab9fa27-a8a1-4022-9a27-84bcf2cecb65/bill_nye_phases_of_matter_worksheet_answers.pdfIn PDF document text
    • http://kepepisex.epizy.com/cherthala_rajesh_flute_songs.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/51217163-2126-4cc8-af98-44e0a1e9d971/what_is_the_best_way_to_cook_a_turkey_in_a_roaster.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1e5c854d-0400-4c2c-9855-b6b39c9a09b8/78818203101.pdfIn PDF document text
    • http://webekilijonelew.epizy.com/17239538584.pdfIn PDF document text
    • https://f904ef53-caa1-4f0f-8a97-c50675c03ece.filesusr.com/ugd/2f8cea_9b3cda65af3c43be82e5b135bf90e644.pdf?index=trueIn PDF document text
    • http://xawiwevivuzox.onlinewebshop.net/fake_medical_report.pdfIn PDF document text
    • http://tikomiwewo.atwebpages.com/can_i_use_hair_dye_on_eyebrows.pdfIn PDF document text
    • http://fujeraxujixu.epizy.com/informacion_del_calamar_gigante_en_ingles.pdfIn PDF document text
    • https://86146b48-cf95-488a-b5a0-22832f4589a6.filesusr.com/ugd/3b4eee_33f5afb64f90473e8dabc4220a4304b9.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dccb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDCCB 5364 bytes
SHA-256: 0f51175f06c294026113dfead9a290293acdd06ef0f0c8fc370b0b8a3b73aa16
font_01_sfnt_off0000eefc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEEFC 10584 bytes
SHA-256: 565e3fd246f9ba62d64ab7786fe09c5571a1692661bdca2e8e34088c8bcbded6

Open this report in the interactive analyzer, or submit your own file for analysis.