Malicious PDF — malware analysis report

Static analysis result for SHA-256 91f30b03841aac86…

MALICIOUS

PDF

76.3 KB Created: 2021-03-06 19:15:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 9055b0ce7eedd73c416f27c9d1de99ff SHA-1: 65669017c8a39dc281f3f82bfe044a6ae1608e8f SHA-256: 91f30b03841aac86defec29ee49e798d162e3fc104d1cf6cf607d0d99c6ded0f
124 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external URIs and is flagged as a link farm on disposable hosting, indicating a malicious intent to redirect users. The ML classifier and ClamAV detection strongly suggest this PDF is malicious, likely serving as a lure to a phishing or malware distribution site. No scripts were extracted, but the PDF structure itself is indicative of a malicious campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8923

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=jvc+camcorder+everio PDF link annotation
    • http://newipufisatag.scienceontheweb.net/sitenovigeperojenobiloka.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4393193/normal_5fde12188b01e.pdfIn PDF document text
    • https://takewinedol.weebly.com/uploads/1/3/4/7/134768260/dojudipusupop.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4422136/normal_604120a0d0133.pdfIn PDF document text
    • http://wilexani.22web.org/dejobumixebawas.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4454561/normal_6008857113862.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4458616/normal_60263f0c9747f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367922/normal_603975cb1c5a6.pdfIn PDF document text
    • https://pofunowiri.weebly.com/uploads/1/3/3/9/133997400/7350054.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369926/normal_603f0238d52da.pdfIn PDF document text
    • http://jofarofuwudeveb.66ghz.com/63929816193.pdfIn PDF document text
    • https://zozolesib.weebly.com/uploads/1/3/4/6/134631165/7652571.pdfIn PDF document text
    • https://babipuwoze.weebly.com/uploads/1/3/4/8/134865032/1961548.pdfIn PDF document text
    • http://siwosupegejolop.medianewsonline.com/critical_hit_deck.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4453142/normal_6030aa777c34d.pdfIn PDF document text
    • http://vekisonoloze.sportsontheweb.net/18087766121.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://xuvekixofeku.onlinewebshop.net/how_to_clean_a_edenpure_heater.pdfIn PDF document text
    • http://gosujol.epizy.com/vevuzukutadenajet.pdfIn PDF document text
    • http://zimufoduso.rf.gd/spice_and_wolf_light_novel_box_set.pdfIn PDF document text
    • http://zelejiv.epizy.com/1079293776.pdfIn PDF document text
    • http://rafirupusugogek.epizy.com/elite_gourmet_2.1_air_fryer_manual.pdfIn PDF document text
    • http://mofibukuzoke.rf.gd/aha_guidelines_2015_noncardiac_surgery.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df12.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF12 4528 bytes
SHA-256: 648647f2fb57f9e28b2c45a1bc780d395bb12b531d546e33fd8856315c918fca
font_01_sfnt_off0000ee61.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE61 9452 bytes
SHA-256: 9b4e6fc051f12b7ad01ee85764c161c8ac8586fe3579c7a314bc268ebf62bb72
font_02_sfnt_off0001080e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1080E 10476 bytes
SHA-256: 04d373d038ae67d62a94ac9e5d98ae1412fe8acc4c77a6b60dd6942cb01e22bd

Open this report in the interactive analyzer, or submit your own file for analysis.