Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c56400a1430ce72…

MALICIOUS

PDF

134.6 KB Created: 2021-06-05 19:29:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: eb03c55da538c085bd210062555fd099 SHA-1: 6d6107e0914677555e3b5b71037e2ced02097717 SHA-256: 8c56400a1430ce72606466d07be650900121749985b9d844dbdf2185f8e6f4ab
204 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm used for SEO manipulation or to distribute malicious content. The document body, though heavily obfuscated, contains metadata indicating it was generated by wkhtmltopdf, and the presence of PRC/3D content is unusual for a legitimate document. The primary IOC is the URL `https://wastran.ru/pbw?utm_term=manual+de+adiestramiento+militar+pdf`, which is likely the intended destination for users tricked by the document's lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9566

Heuristics 6

  • PRC/3D content in PDF medium CVE related PDF_PRC_3D
    PDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wastran.ru/pbw?utm_term=manual+de+adiestramiento+militar+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4417818/normal_601b653fd66d8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4426941/normal_605cab10ba8b9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4464056/normal_601e01dd55a71.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4389108/normal_602518fba7a3e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366036/normal_603e799ade4c7.pdfIn PDF document text
    • https://xirozakopep.weebly.com/uploads/1/3/4/7/134719339/jitekurig.pdfIn PDF document text
    • https://fewabobur.weebly.com/uploads/1/3/4/7/134713859/29dffd792d8d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4445737/normal_60464036c68e5.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://uploads.strikinglycdn.com/files/2e1dab4a-28cc-4eee-82ac-e6e2cde8e566/karijivovatuzero.pdfIn PDF document text
    • http://zupelapowi.pbworks.com/f/89475440565.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e63fa16a-2a53-49eb-80f4-20bfcd77f1d2/old_school_pizza_tavern_menu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1a06d61d-0e30-4492-88d2-2ac6c201bcb9/66530880279.pdfIn PDF document text
    • http://gopidam.pbworks.com/w/file/fetch/144546927/madame_bovary_2014_full_movie.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c4b882c8-0f38-4d8b-bccd-5bbc630e0c87/chemical_experiment_report_sample.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4d5efe6a-41ab-4eb6-b809-49d581c07a8f/81991576124.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/111a47f7-9a97-4b37-8b79-acd5411d76bb/she_kills_monsters_virtual_realms_script.pdfIn PDF document text
    • http://zewalar.pbworks.com/w/file/fetch/144466641/descargar_minecraft_pe_ltima_versin_2020_para_android_gratis_1.16.20.pdfIn PDF document text
    • http://vikowezanipe.pbworks.com/w/file/fetch/144507735/m_sudheep_elayidom_data_mining_and_warehousing.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001e033.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E033 5192 bytes
SHA-256: 616b89d3ecf66abaa34980fd7a68831538ae916ba3edbbb01cb75b7dfc21851a
font_01_sfnt_off0001f1c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F1C7 6636 bytes
SHA-256: ab578f0335b3429180fa528d0e5270cb5eb086541f0ba46a8b4b7204e3539c09

Open this report in the interactive analyzer, or submit your own file for analysis.