Malicious PDF — malware analysis report

Static analysis result for SHA-256 974de13a0ef1eb69…

MALICIOUS

PDF

66.2 KB Created: 2021-03-11 00:21:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 64e770ed243bd5e8cd57a0d79282abdd SHA-1: 1392628fc5542760140f6d2f522a523c9b35dd27 SHA-256: 974de13a0ef1eb698b081e82abcd66464f586e9669d72acb24c99ee3bd000efa
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many hosted on disposable domains, suggesting a link farm or SEO manipulation tactic. The document body, though heavily obfuscated, contains a query about pairing Bose earbuds, which is likely a lure. The presence of external URIs and a link farm heuristic indicates an attempt to redirect users to potentially malicious content hosted on external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8428

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/aws?utm_term=how+do+i+pair+my+bose+earbuds PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4383925/normal_6032ffc3655aa.pdfIn PDF document text
    • https://kaposabebozof.weebly.com/uploads/1/3/4/4/134466843/potakexir.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4480585/normal_603417fe82513.pdfIn PDF document text
    • https://pejupatuwotim.weebly.com/uploads/1/3/2/8/132814375/puwaninununava-xenupesufowal.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489977/normal_5fdc354b954e0.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4369310/normal_5ffc4fe846c5f.pdfIn PDF document text
    • https://lurofigugibax.weebly.com/uploads/1/3/4/6/134686006/608ce34298a6b.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://04a80c79-134c-446e-801b-0c1635678e59.filesusr.com/ugd/5cebf8_9cdb996423604c7eb3c379ab2ce00724.pdf?index=trueIn PDF document text
    • https://5637a596-61ce-4e67-8953-8fd9cb84b940.filesusr.com/ugd/c20ea7_f46f11a2caeb45cf9edc2b4d181194d1.pdf?index=trueIn PDF document text
    • https://f8d4b294-f952-4a11-85e8-0a3036f9bdaf.filesusr.com/ugd/ad8f3a_fff8340d46d1413a9e47f9431b9d4240.pdf?index=trueIn PDF document text
    • https://c1f973cf-d719-4acb-8f9e-cd83ae4fb94d.filesusr.com/ugd/057766_95f12124a811427e96126a28e7d038c7.pdf?index=trueIn PDF document text
    • https://1864c106-1a4f-4194-99fb-dabd5a0af450.filesusr.com/ugd/17b194_7483c3a963d0430882765560f3c3ec29.pdf?index=trueIn PDF document text
    • https://6d8b2927-5c4d-40df-b593-c6bd35e19528.filesusr.com/ugd/1adac8_8221ec0b59f1425c97ee3c7f9aa8e295.pdf?index=trueIn PDF document text
    • https://275320ff-96dd-455a-9699-a0fdc58b27a5.filesusr.com/ugd/943725_a6b965e0345d461192c8cb4c4e03bf2d.pdf?index=trueIn PDF document text
    • https://0bef8565-087b-457a-960c-b0529baba50c.filesusr.com/ugd/638000_ccdcfae7a7654746a7ef7eeb38be794f.pdf?index=trueIn PDF document text
    • https://a1c9bafd-2917-4c1b-b79c-a4b44a941470.filesusr.com/ugd/f0f215_109f4c15be7a4e3c804db16510759e73.pdf?index=trueIn PDF document text
    • https://1058d175-53f8-4d86-9201-ae9c1fc74009.filesusr.com/ugd/62a633_afb980d567d240cbb69971dbea434872.pdf?index=trueIn PDF document text
    • https://f8ba888e-8f71-4fde-8303-550399648f4e.filesusr.com/ugd/17ce20_5b1fb941ebd64a9ea76adb9bfe40efdc.pdf?index=trueIn PDF document text
    • https://a35aa970-3e4e-4c20-be1f-53d10001bce9.filesusr.com/ugd/af4e73_fdd9ec501a224716a683420b590d6060.pdf?index=trueIn PDF document text
    • https://c3a7a64c-5591-430b-94d7-c2eadfdf3523.filesusr.com/ugd/966478_cc266fce12f24592a752015098e8f810.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e868.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE868 5368 bytes
SHA-256: 9693b0bae7fa3316d69f115503fc420821f0d8339eb7dba09d39d89be5b5999a

Open this report in the interactive analyzer, or submit your own file for analysis.