Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d4b92daab92048c…

MALICIOUS

PDF

72.3 KB Created: 2021-04-24 23:02:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: 437305c609ead162cb89f3d0c82680d3 SHA-1: b077dfb77cadffa002f4f1d85ab830fcb4e1f647 SHA-256: 7d4b92daab92048ca72b59a504681bc943ea1f3b2c8e8aa6c100bde96b5815ae
126 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=craftsman+1%252F2+hp+garage+door+opener+replacement+belt PDF link annotation
    • https://cdn.sqhk.co/vakanaju/hgjhxsh/hole._io_unblocked_games_76.pdfIn PDF document text
    • https://cdn.sqhk.co/wugunifikezu/XjbpppI/10577688547.pdfIn PDF document text
    • https://cdn.sqhk.co/zolulesar/ijPkx0V/looperman_drill_samples.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4490367/normal_60544c1fe7b47.pdfIn PDF document text
    • https://cdn.sqhk.co/suxujaba/e7ifDie/33190968212.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451970/normal_601187868d62d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4475859/normal_6046eea894bd4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374545/normal_605c622eeefee.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4414486/normal_600076a2a781e.pdfIn PDF document text
    • https://cdn.sqhk.co/pibilebomek/hdLow4F/24282521204.pdfIn PDF document text
    • https://cdn.sqhk.co/nifodotiriru/xvMjf97/border_patrol_jobs_las_vegas.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409806/normal_602013ca34bf6.pdfIn PDF document text
    • https://cdn.sqhk.co/jadojibam/8ieliaS/20169637814.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://b73b9701-b1df-43be-b031-73419f87697c.filesusr.com/ugd/bfbd96_d70b21fd58764fc5bf79be3219595f54.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/219be28d-bfbc-4b5d-a90e-d0a15dd54e86/what_does_te_amo_mean_in_korean.pdfIn PDF document text
    • https://fefcf4f0-bf52-4086-adb3-b788df03f7bd.filesusr.com/ugd/da9d4c_30628e0c0239456dbcef070568666ea2.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/276d6ca9-a587-4816-86bf-dfd7fe85c8a6/60601048615.pdfIn PDF document text
    • https://8d5bcf17-53f2-4f21-b585-7a27aef14131.filesusr.com/ugd/7baf93_3fe235435d8c43ddbe0f10de8d58e833.pdf?index=trueIn PDF document text
    • https://03aaa7dd-6608-466c-a68c-f41c59811c05.filesusr.com/ugd/ae15ca_2b1e66312b924566bd3851c14f51e2e3.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/de9f5021-0dd7-48e9-ae7d-1189ebd5549a/the_crown_season_2_episode_10.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dac0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDAC0 5836 bytes
SHA-256: 3d3c02dd8d35060e396f280afce220d754ab6c14692f912219557301875b7652
font_01_sfnt_off0000ee7e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE7E 10708 bytes
SHA-256: 48040b20747846bb653b6a734478b70849f57bdbd5dea5575ff82428108333f1

Open this report in the interactive analyzer, or submit your own file for analysis.