Malicious PDF — malware analysis report

Static analysis result for SHA-256 af6d307e5f2cd554…

MALICIOUS

PDF

84.5 KB Created: 2021-03-12 00:59:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 86cc02abcd21fcd80fb072a6e4866ff9 SHA-1: 1e550b260840c927c17fe026d865313dfefab606 SHA-256: af6d307e5f2cd5545e118e9db700ca7c2fd1af7dbf0e674a5546d0afaa6a045d
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8088

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/award?keyword=extended+euclidean+algorithm+example+pdf PDF link annotation
    • http://beruvutekimeged.22web.org/zadisilasedalowalusifafe.pdfIn PDF document text
    • http://bio-ita.fun/zufekakadakeredosopuvun4t8x.pdfIn PDF document text
    • http://fawejidiribap.22web.org/nitisunitanuretel.pdfIn PDF document text
    • http://xudogiborijum.66ghz.com/turbo_manager_app_for_android.pdfIn PDF document text
    • http://josibazuveloj.iblogger.org/56463880074.pdfIn PDF document text
    • http://inmyshtangen.xyz/goravatejezedhmrrj.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://32cf4326-ba62-484c-a3ca-05d02c2dd2e5.filesusr.com/ugd/0b46e6_1ad1286d673f4e15a43d87f1a09df5ba.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/229a84c8-4c4a-44b6-8f91-d939e1ee2e48/49396622675.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c3289ac4-e49e-4630-a76b-f1309544b0d6/44429850493.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e046c8c9-352e-4eb6-982d-520c52c7a87b/setotin.pdfIn PDF document text
    • http://fogetakid.rf.gd/guided_meditation_for_cellular_healing.pdfIn PDF document text
    • https://f6e2a16f-d004-42cd-8f17-0463e090774c.filesusr.com/ugd/c70c35_867e90219408445e9b292c52ce3d6a4d.pdf?index=trueIn PDF document text
    • https://69c5641f-197a-42c1-bef1-daa502c1f1d7.filesusr.com/ugd/948cea_6094f8e656734e3086d8c9862edc5bc3.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/597e7d77-6df2-4ae3-b3df-79ed133e8e97/nourishing_traditions_weeknight_meals.pdfIn PDF document text
    • https://5b0e1d79-1acc-45ba-a965-31015372eee8.filesusr.com/ugd/67f5f7_49ea19aff6fd4ba9ba48c6b8a94a7cb6.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/189e7e73-12ee-4c94-ab90-f885a1f0df4b/xapipuv.pdfIn PDF document text
    • https://cfc603e6-7cd4-4c42-812b-9722deb80ae4.filesusr.com/ugd/0e9fc2_1e07f0d310634617aa7a0f0b2c6a68f6.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/a88eee50-318a-473a-aa2c-bf6323d5a4e8/how_to_set_up_home_alarm_system.pdfIn PDF document text
    • https://c81c1a69-aec6-471c-ac34-7a6800eafc69.filesusr.com/ugd/9ef1ea_a8da8617317e46299e5dccc068329f6c.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/860276df-a1b5-41af-9764-51d0bd31feca/army_golden_master_ios.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012c46.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12C46 5416 bytes
SHA-256: 970ded6672c66edd024237346d418ec1c3f812ed79aa8cdb31de5a938b6b0737

Open this report in the interactive analyzer, or submit your own file for analysis.