Malicious PDF — malware analysis report

Static analysis result for SHA-256 8201778b49e3307e…

MALICIOUS

PDF

94.0 KB Created: 2021-06-12 04:26:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: b2102e9a1a43750ea26db8fb76f6e2db SHA-1: 0064c80046c889683da1a3b3246839aff899be39 SHA-256: 8201778b49e3307e15db8760c36604cf5c25ed2e11bf6aa39d4c04189281b9b8
134 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses an urgency-based lure. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9897

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wastran.ru/pbw?utm_term=jodha+akbar+song+jashn+e+bahara+mp3+download PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4410415/normal_5fcf5c9e73ad3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4423427/normal_5fc7ae14dc077.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411245/normal_604cd61ca67d7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4392452/normal_6066178ed0f6c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4402501/normal_5feb780af1270.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366662/normal_5fd7730d62385.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476765/normal_60317b20b8230.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4427086/normal_6024b263738fe.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://uploads.strikinglycdn.com/files/2c357384-1304-45b2-943a-cda6e6a28661/is_it_better_to_buy_a_house_now_or_wait.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/673b7340-8b36-43cf-84df-ea8dbe03dbb3/glory_to_god_mass_of_christ_the_savior_music_sheet.pdfIn PDF document text
    • http://zusemivak.pbworks.com/f/how_to_transfer_money_in_cash_app_to_bank_account.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c72c16ac-34d0-446d-9ce4-2b2b40386a2c/astrology_for_you_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fb0d179d-d9d2-4476-84db-739aa5880b87/melirum.pdfIn PDF document text
    • http://gebozuj.pbworks.com/f/what_is_the_relative_formula_mass_of_magnesium_hydroxide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8cd7531c-8e27-4770-8bf1-455b9ccc55fb/how_do_you_find_the_primary_and_secondary_voltage_of_a_transformer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5c89b975-9ec7-4e3c-ba88-05c8ee989336/2003_ford_explorer_sport_trac_owners_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/13623163-d2ff-4c5f-9a81-c3a03752af47/kalitabixugotaf.pdfIn PDF document text
    • http://japakekuwita.pbworks.com/f/anno_1800_cheats_trainer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ae86a0b-2baf-4bcb-8b60-693b12b44c10/46420307818.pdfIn PDF document text
    • http://subuzuj.pbworks.com/f/bally_bally_ni_tor_punjaban_di_lyrics.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/be772275-e7e5-43c7-b471-34b13bca98d1/54786179079.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e8cb55c1-9082-4d85-ac4f-b2a43a4d59b4/75939877979.pdfIn PDF document text
    • http://javefanudosa.pbworks.com/f/robux_fee_calculator.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a1dc98d4-dbc5-4f73-b0ed-46b5467d7210/jomurijeweti.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c94b9533-dd18-41b3-a005-0a7d50c710cc/kodak_easyshare_m820_digital_frame_troubleshooting.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/604b498c-9d8c-4dd0-ba03-eeed784ab036/99403437363.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea4a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA4A 5900 bytes
SHA-256: 48b189b33c0ac001d6b74b20648cd1b0442eac737919e83f49d19561fb584950
font_01_sfnt_off0000fe40.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE40 6444 bytes
SHA-256: d2d2025645f308a5332763abf3308f73ee64be09f7308d84beac75356cdb418a
font_02_sfnt_off00011523.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11523 11360 bytes
SHA-256: cd9566f011af8013945b37ab86ad3edc8e4b95d37d1deda89af480d68d5bfdf2
font_03_sfnt_off00013c82.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13C82 17156 bytes
SHA-256: c1671dee65b328b7821a3b19b364d9a41bc536ee39d7538c9449af5dfb11495f
font_04_sfnt_off00015571.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15571 5452 bytes
SHA-256: d36682f532553846fdd54e6419183fe2774e245c0eb6f0dd7b3af7d42a08bd8c

Open this report in the interactive analyzer, or submit your own file for analysis.