Malicious PDF — malware analysis report

Static analysis result for SHA-256 be862a00ef29bf00…

MALICIOUS

PDF

81.5 KB Created: 2021-04-12 04:10:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 2ee811862b91e9702896bffac2479c52 SHA-1: e3accd54b37b45d7c456975bb624535e397f68e0 SHA-256: be862a00ef29bf00534e178d86167e3b210a91be2e96d5407683d486b9d07668
124 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, appears to contain keywords related to a game and operating system, suggesting a lure to trick users into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7908

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=%25D0%25BA%25D0%25B0%25D0%25BA+%25D0%25B7%25D0%25B0%25D0%25BF%25D1%2583%25D1%2581%25D1%2582%25D0%25B8%25D1%2582%25D1%258C+metal+gear+solid+2+substance+%25D0%25BD%25D0%25B0+windows+10 PDF link annotation
    • https://cdn.sqhk.co/vumuwuxa/fcbhdH0/31647506627.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4463529/normal_601514e16e6ea.pdfIn PDF document text
    • https://cdn.sqhk.co/gukokefa/hjzIifn/94757592890.pdfIn PDF document text
    • http://fartook.online/9836077209pdk9n.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4500201/normal_605c73faf313b.pdfIn PDF document text
    • https://cdn.sqhk.co/vemetafije/NhcpJmT/canvas_student_view_access_denied.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367621/normal_6032867caefab.pdfIn PDF document text
    • http://8bitbeardsco.com/viwexerufapafigosopiz0f32k.pdfIn PDF document text
    • https://cdn.sqhk.co/dikulodut/hVzeIgE/super_loud_ringtones_for_android_free.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/bulikowexunepov/xbox_360_wireless_controller_via_play__charge_kit_driver_for_pc.pdfIn PDF document text
    • https://6632aaff-1fe9-4f1d-acb3-7d444e457837.filesusr.com/ugd/ce4b7c_15072b9e7368476ebd5b5d0d2da10ef5.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/satulibaren/22106704809.pdfIn PDF document text
    • https://e0bfa911-60eb-4c53-bd8d-ceec25156dfb.filesusr.com/ugd/0a052f_518d89e34a7649759f294ddcac5e09bf.pdf?index=trueIn PDF document text
    • https://01dc7cc6-b8ed-446e-8cc8-1ad78882ed38.filesusr.com/ugd/e23fbb_f43b7b05f67745baae73fafd687ac5d5.pdf?index=trueIn PDF document text
    • https://37976aa0-f55f-47d3-847a-8d185b13ebf6.filesusr.com/ugd/1d6212_a4516ce368e0431b9fe8742d09e970c6.pdf?index=trueIn PDF document text
    • https://9eaa565e-fb97-40b4-b096-d6760803f699.filesusr.com/ugd/55e2c6_c5c8cc86bebd4a8784490bf9f1e08298.pdf?index=trueIn PDF document text
    • https://c546c886-5aa5-41cc-813f-4ed3e146772c.filesusr.com/ugd/b3e52d_298732269d2547b4a54c36c7ecef43ff.pdf?index=trueIn PDF document text
    • https://4b67404f-136a-46a0-9cf3-151f2d38faab.filesusr.com/ugd/241fd5_c1b7669df5ee4c31bdaad953f137c667.pdf?index=trueIn PDF document text
    • https://aa4c2489-c93b-4667-afab-104bf5323bad.filesusr.com/ugd/8b49c6_0fb79af5d0ae437a967d0f9a7e3115a2.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/jiwisi/86387615644.pdfIn PDF document text
    • https://14319df0-7947-4f0d-bbb3-eaa17d5eb23e.filesusr.com/ugd/c45f38_342e3dd9841f4a29b51e975207bb02f6.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000118a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x118A1 6812 bytes
SHA-256: a3ec8d6c6f8abc44714c2be25ea04295bad75dda5682228e86f4abe927d2649f

Open this report in the interactive analyzer, or submit your own file for analysis.