Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e006065a4466f40…

MALICIOUS

PDF

73.4 KB Created: 2021-04-01 23:07:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10
MD5: 24fc85d8a0e490baedcf6de239231d35 SHA-1: b97bb4443c4a20f5335514e6483d319462f64228 SHA-256: 7e006065a4466f406c221c39ba02418e9812e7a9d1242e48368c9b1c1654b349
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. Heuristics reveal it functions as a link farm, directing users to external URLs, one of which is a download link for an executable. The document body, though heavily obfuscated, contains text related to downloading free PDF to Word converters, a common lure for phishing and malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=download+free+pdf+to+word+full+893.+exe PDF link annotation
    • https://cdn.sqhk.co/narivujuraf/igcy2oH/du_application_form.pdfIn PDF document text
    • http://movawizaxaxato.mywebcommunity.org/63530823118.pdfIn PDF document text
    • https://cdn.sqhk.co/nurofiwele/jd4haia/love_quotes_for_her_funny.pdfIn PDF document text
    • https://cdn.sqhk.co/matajikiwov/phhideq/jazitomevid.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://3cde87c3-25ab-478b-b58d-ba072f1c7540.filesusr.com/ugd/255d97_e81bead8719441c0b1ec3ab24d49dc21.pdf?index=trueIn PDF document text
    • http://jasesazolaf.myartsonline.com/libonafilajifebozevo.pdfIn PDF document text
    • http://mejuton.epizy.com/young_life_need_talk_illustrations.pdfIn PDF document text
    • http://musepojomu.rf.gd/7th_grade_math_word_problems_and_answers.pdfIn PDF document text
    • https://43081b45-6e48-4b43-b724-9328fda377ae.filesusr.com/ugd/26481d_36f74aa897874ea0affb28204e7f403c.pdf?index=trueIn PDF document text
    • http://dawejur.atwebpages.com/luguwuv.pdfIn PDF document text
    • http://fogovulosuzan.onlinewebshop.net/14547837738.pdfIn PDF document text
    • https://181f3bdf-810f-4c34-abb3-9f3362228cd6.filesusr.com/ugd/30415f_f158d08c770c4cf3a4a0992118e0ea58.pdf?index=trueIn PDF document text
    • http://fazaburifug.myartsonline.com/lapapipive.pdfIn PDF document text
    • http://tuzuxutetug.atwebpages.com/how_to_do_stop_motion_animation_on_imovie_ipad.pdfIn PDF document text
    • https://2aa0b900-127f-4603-a19a-6a731d3c9eb1.filesusr.com/ugd/5eaffa_7bceda0daca343139230c8cf433f8282.pdf?index=trueIn PDF document text
    • https://e8f98835-b194-42a5-b43f-fe2f29920dd6.filesusr.com/ugd/bf650e_6d506065de5348168fbfed294110b125.pdf?index=trueIn PDF document text
    • https://02274cc9-8b57-4441-be19-e46c089ec46b.filesusr.com/ugd/f11b8f_3c229828979947c1a1ca8ea3e83f3b4f.pdf?index=trueIn PDF document text
    • https://83f018a0-8e49-44f0-b57e-805e464a5f06.filesusr.com/ugd/10a4aa_3431cbb4932a42afa5a3d62f74fb2eeb.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e713.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE713 5564 bytes
SHA-256: 366dd02d242656e5dafeb2f2a584495e8dbb2d9c4c86f09aa61b85cd551699a8
font_01_sfnt_off0000fa32.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA32 10916 bytes
SHA-256: b10e572c61b481f7b55f17d4bfecfcafc02b61ea1d8a9cce552702d8e82cbe89