Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e0b6dab04882e13…

MALICIOUS

PDF

90.2 KB Created: 2021-05-18 11:35:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 8739255509c03762423175a4cf74fbeb SHA-1: 1962bf6750ba415147e0a3d4d4f4cb8076a48588 SHA-256: 9e0b6dab04882e138693c8fbb3c68f536a80a56d0dbc5c1e7888340d862f3230
124 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or phishing attempt. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports malicious intent. The document body, though heavily obfuscated, appears to be a lure related to 'proving triangles congruent proofs worksheet answers', directing users to external URLs like https://dafemum.ru/strik. No scripts were extracted, but the PDF structure itself facilitates the redirection.

Machine Learning

  • Nyx PDF Classifier clean score 0.0604

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=proving+triangles+congruent+proofs+worksheet+answers PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4477387/normal_60488c0c93f09.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4477863/normal_6018e484107f6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380090/normal_605b55b92e0a7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481667/normal_605f001ec33b5.pdfIn PDF document text
    • https://dutilugamon.weebly.com/uploads/1/3/5/3/135301630/xapilikevan.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4479906/normal_6066cf3c23a9f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4365584/normal_5fce7ace5432f.pdfIn PDF document text
    • https://gipomezaligivuj.weebly.com/uploads/1/3/5/3/135348854/jiragov.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421341/normal_5fd176b71cc25.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4472484/normal_6038e6e86abd3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4493200/normal_600b6a43bffd8.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/tarizirefevifab/surexopamikute.pdfIn PDF document text
    • https://s3.amazonaws.com/likerajatob/coleman_powermate_pulse_1850_generator_review.pdfIn PDF document text
    • http://kugunimekuxaf.epizy.com/minonubojetalobo.pdfIn PDF document text
    • https://s3.amazonaws.com/penefelomiju/foxosijugegipidimibow.pdfIn PDF document text
    • http://laganinol.rf.gd/what_are_some_active_listening_skills.pdfIn PDF document text
    • http://nubimopupugu.rf.gd/45150715002.pdfIn PDF document text
    • https://s3.amazonaws.com/gixirojozogufux/wojigurazunivajag.pdfIn PDF document text
    • http://xazesenidivajuk.epizy.com/gekogibebamozigopiwuxu.pdfIn PDF document text
    • https://s3.amazonaws.com/dupula/django_template_language_length_of_list.pdfIn PDF document text
    • https://s3.amazonaws.com/jokotaziweluge/90509768338.pdfIn PDF document text
    • https://s3.amazonaws.com/gotitibekovi/celine_journey_to_the_end_of_the_night_summary.pdfIn PDF document text
    • https://s3.amazonaws.com/woxojuxafopuv/sujurimilabo.pdfIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef81.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF81 6552 bytes
SHA-256: 395b68fc23996ecc32871032f41c135c3a407385ce27eceeb6d3b1260c42bc5b
font_01_sfnt_off0000ffa7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFFA7 3240 bytes
SHA-256: 92dbe54ead12eff6682f2d6e51b3e5aaf9f0ca7181594b0d610ad93b990e6c0f
font_02_sfnt_off00010b36.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10B36 5496 bytes
SHA-256: 36c2ea5f1e84cc78467c71a3b545a97a893f644f0295d34a086ba99621af28fa
font_03_sfnt_off00011e02.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11E02 13892 bytes
SHA-256: 84bcc882e4da7b7ad4a8841028cf146f4935a6c7cb98275af861a47ba3c3621e
font_04_sfnt_off00014cff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14CFF 16420 bytes
SHA-256: 6bfada953d3f77efb437e0fa6d77fc7f42082aa610d810e95a5399f688e28cbc

Open this report in the interactive analyzer, or submit your own file for analysis.