Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1787046d06798e0…

MALICIOUS

PDF

77.0 KB Created: 2021-03-10 14:21:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: c4b1f186126163fd44fdf91b5c398a34 SHA-1: db1c6936cd372f12545a7596f81ef4867c98134f SHA-256: c1787046d06798e06cf1e4e65499bd1c0edec22caf0ed424e232baf01c375fed
174 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains heuristics indicating it is a link farm designed to redirect users to external sites, with one specific URL identified as a potential download lure. The presence of a 'Password-protected archive handoff' heuristic suggests the document is part of a multi-stage attack, likely to bypass security controls by encrypting the actual payload. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=itunes+download+64+bit+windows+10+free+download+latest+version+2019 PDF link annotation
    • https://cdn.sqhk.co/rizinutix/Uhijjgj/24986980662.pdfIn PDF document text
    • https://cdn.sqhk.co/zenekukera/cDgh93Y/92576040275.pdfIn PDF document text
    • http://jalazekesofijot.medianewsonline.com/francisco_vasquez_de_coronado_timeline.pdfIn PDF document text
    • https://cdn.sqhk.co/pibexezases/igiaDXW/80306699768.pdfIn PDF document text
    • http://gesufumepemu.22web.org/nimuwazogurijorivatikuwe.pdfIn PDF document text
    • http://jufanurozud.getenjoyment.net/lejaxiraposomaletif.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/lawakux/7364180092.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f1d7dc82-7224-45ed-9aab-d8b149867239/how_high_should_bat_boxes_be.pdfIn PDF document text
    • https://591e60e9-54e8-4b06-a9a7-f2e0522969d0.filesusr.com/ugd/1fd4b7_14931876074e47ec99e5d4e9ab9e02da.pdf?index=trueIn PDF document text
    • http://nakunadugip.epizy.com/little_fires_everywhere_recap_episode_7_ew.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/003a8e7c-f045-4e63-ba41-609343c167d8/how_to_program_genie_master_remote_garage_door_opener.pdfIn PDF document text
    • http://bapaxezeb.epizy.com/black_and_decker_leaf_hog_bv4000_type_2_parts.pdfIn PDF document text
    • https://43081b45-6e48-4b43-b724-9328fda377ae.filesusr.com/ugd/26481d_15f11d67de1c4044800dcea5c558c946.pdf?index=trueIn PDF document text
    • https://78bdfa25-736e-4945-a764-db21511aacb9.filesusr.com/ugd/9bd82e_7f4fa4e7e57f473781446f53646a7542.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/lemerisinivum/what_is_the_main_goal_of_cultural_anthropology.pdfIn PDF document text
    • https://27aa3d6a-fcc1-4574-a8e0-77dd5bf64dcc.filesusr.com/ugd/7683ec_7497cf4b28524e0cb8df195e7c436647.pdf?index=trueIn PDF document text
    • http://fanixagef.rf.gd/jaxetano.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee2c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE2C 5852 bytes
SHA-256: 7932da013f71c80d445275e38a366a6ce2b6a0894477472bb7c6f485a2c4105a
font_01_sfnt_off0001023d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1023D 10516 bytes
SHA-256: 030a1171cd219271e6b9d2e1253feea9b56d0a075f604d245166157747d10107

Open this report in the interactive analyzer, or submit your own file for analysis.