Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2ff759a7011f1ef…

MALICIOUS

PDF

83.2 KB Created: 2021-06-11 06:23:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 4cec037583c86cb1ace916ba28125eba SHA-1: de1e2585537b42616bf6761bb0f5b58de5cf2d72 SHA-256: c2ff759a7011f1efc5d0dbe053d9d2aa8505be209db49a4c5cdbdbbe838b2c72
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF is identified as malicious by ML classifiers and ClamAV, indicating it's a phishing or trojan distribution attempt. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm designed to redirect users to malicious sites. The document body, though heavily obfuscated, contains references to "Word 2010 pdf" and the authoring application "wkhtmltopdf", likely a lure to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8410

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/pbw?utm_term=word+2010+pdf PDF link annotation
    • https://dexatasudawuge.weebly.com/uploads/1/3/4/4/134477966/giriwobolejomo-fubesumazasavop.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368768/normal_5fd149d1f39e0.pdfIn PDF document text
    • https://xadebunurag.weebly.com/uploads/1/3/1/4/131454816/8696182ab03eef.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4496602/normal_5ff2afa620b02.pdfIn PDF document text
    • https://static.s123-cdn-static-d.com/uploads/4476133/normal_60b482e5db321.pdfIn PDF document text
    • https://mevinabepoke.weebly.com/uploads/1/3/2/7/132740553/jowosizijuve.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4383475/normal_5ffdb1b60a4ef.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374540/normal_6025f224456b8.pdfIn PDF document text
    • https://defifipak.weebly.com/uploads/1/3/4/4/134442047/sokilibizov.pdfIn PDF document text
    • http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/660e4f5e-9954-4da8-ac11-cdaa4b4c3ab8/vunuwezupazedef.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aeb94ae3-6028-467e-b4bd-317db1a4c4a5/lenovo_yoga_500_bios_update.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b9594af2-6eea-4fa5-93b4-54fca9fa7505/how_to_use_an_architectural_scale_1_2.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d7138b0f-57ea-4cd7-8941-8f4c58845941/12256074876.pdfIn PDF document text
    • http://sawanixum.pbworks.com/w/file/fetch/144522192/supiriwipiresesi.pdfIn PDF document text
    • http://nadupodifado.pbworks.com/f/sigikewujo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f5e2fc0-5a6b-4f57-874f-13f8bb8898e9/what_is_the_setting_of_dr_heidegger_experiment.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/be15c1c0-f97a-4ab1-99b4-9b54b2596df4/vakexiduwo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/323abb74-996d-4411-be72-0f7ea1aba5dc/jawanitakexikobanupopumol.pdfIn PDF document text
    • http://kolasotosexu.pbworks.com/w/file/fetch/145098219/wemitunixaxogurozux.pdfIn PDF document text
    • http://sipibujewadu.pbworks.com/f/wupopoxisuwokoziderejutax.pdfIn PDF document text
    • http://giresizuloki.pbworks.com/f/63165135795.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d794917a-2b4b-42c5-9d21-a60672f48fcc/bomoliwidufifegapin.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011e4a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11E4A 1872 bytes
SHA-256: 9fba9b0d9e2cc48f58c52755440c9a9bb3bd4c5dbe3d8c853d7e81cca7fbdf20
font_01_sfnt_off0001273f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1273F 4388 bytes
SHA-256: 99eb75d8f24355695108524d1de67ea4f4a2f7870d3d03b724d3a7edfaec6c48

Open this report in the interactive analyzer, or submit your own file for analysis.