Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4344f1f4be064d0…

MALICIOUS

PDF

72.2 KB Created: 2021-04-07 01:21:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-13
MD5: 6b13727339e54f794f62c2d6c62013c3 SHA-1: 92c88d129e26e656b8b5830f5413ee9049bfefea SHA-256: a4344f1f4be064d04d50c83d51576d523b1a8e574ec8f542ece55bc5ae7ebb8e
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, identified as a link farm. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external PDF links, and 'PDF_SEO_DISPOSABLE_LINK_FARM' suggests these links are hosted on disposable domains. The ClamAV detection and ML classifier further support its malicious nature, likely for SEO manipulation or distributing further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7004

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/award?keyword=cren%25C3%25A7as+populares+samuele+bacchiocchi+pdf PDF link annotation
    • https://cdn.sqhk.co/vefobinibe/jfgfjfN/lativekev.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386851/normal_60190e3abf8bc.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380863/normal_5fd2053ed4466.pdfIn PDF document text
    • https://cdn.sqhk.co/xidatelo/izhjhei/jekawakebegi.pdfIn PDF document text
    • https://cdn.sqhk.co/jigijobofofa/hgifvBm/nanexemafolifujen.pdfIn PDF document text
    • https://cdn.sqhk.co/sipebililofo/cFLpJhe/diwumejovurofivafuk.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451220/normal_60446de32668a.pdfIn PDF document text
    • https://cdn.sqhk.co/marixefe/ZDjcWMo/fezevitam.pdfIn PDF document text
    • https://cdn.sqhk.co/gupimupiset/e0jeWih/download_village_and_farm_mod_apk_latest_version.pdfIn PDF document text
    • https://cdn.sqhk.co/dixejetafap/gSI4Ajf/word_search_creator_app.pdfIn PDF document text
    • https://cdn.sqhk.co/nifodotiriru/djbv48L/44229272884.pdfIn PDF document text
    • https://cdn.sqhk.co/fematixub/gzhab9b/bapirawejovikivoranigu.pdfIn PDF document text
    • https://cdn.sqhk.co/sewujuzanas/cigjagf/download_game_fish_aquarium_mod_apk.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4454049/normal_605aba565f709.pdfIn PDF document text
    • https://cdn.sqhk.co/xatuxazaz/9Ijcupj/microsoft_office_network_diagram_template.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://0926596c-b1e6-4473-87d6-fed2e709bfeb.filesusr.com/ugd/e2a635_bb93179d5d504070a9c406ad3f34f8ba.pdf?index=trueIn PDF document text
    • https://e33362eb-94ba-4427-a888-6f4863169a18.filesusr.com/ugd/36ce96_5ad5843d78f1477da4a8b0c08880d66c.pdf?index=trueIn PDF document text
    • https://937a8a2d-b41a-4163-aff8-eda6db263557.filesusr.com/ugd/21e6f2_cc1ac88ac98745afa931875926de5a81.pdf?index=trueIn PDF document text
    • https://0df6220b-9630-4647-aab6-0d9db69b9d59.filesusr.com/ugd/8b97dd_e8aacd856a0a4ac48e13bd6458aa78c3.pdf?index=trueIn PDF document text
    • https://e082b6be-64c0-45f6-a8ff-82b9c6f476f0.filesusr.com/ugd/1479de_13501ff0a0fd4fef9510a0015cf1ccfb.pdf?index=trueIn PDF document text
    • https://ef5e9b3f-1a8e-4c79-9b60-34b8f8133c96.filesusr.com/ugd/18574e_a8f855a0cff14e11ae5eb3af52bbff68.pdf?index=trueIn PDF document text
    • https://6a1e2a5f-c456-4288-b9d5-5378f87870fb.filesusr.com/ugd/076fac_e3e516c6117d469aa072d69f3c839d16.pdf?index=trueIn PDF document text
    • https://abaaaae4-9231-44fc-b12c-ad55ebcc68e7.filesusr.com/ugd/2ca09c_f3c08d7eed0741908169d4729c74b6ee.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4e3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF4E3 5620 bytes
SHA-256: 1d6bfb4f47b3a1d9381fa8645cd362920e54849f1aa040cfd06411dd88fbe9d2

Open this report in the interactive analyzer, or submit your own file for analysis.