Malicious PDF — malware analysis report

Static analysis result for SHA-256 c311274b087ca0eb…

MALICIOUS

PDF

55.8 KB Created: 2021-03-07 19:23:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 349dd8e7e2f82efc2f310dbdf47efc7e SHA-1: c77c708c44ff6273bebec21c27490352d41c7223 SHA-256: c311274b087ca0eb8d4eb4b2fa077c9a2c54b77f815009affc62c81ba18bd9da
124 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded URLs, with one specifically pointing to a suspicious domain ('xezojetit.ru') that is likely used for phishing or to serve a malicious payload. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though partially corrupted, suggests a lure related to product specifications.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8686

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/award?keyword=whirlpool+ultimate+care+ii+specifications PDF link annotation
    • http://iwhite.space/nuporaturigiwomaitu97.pdfIn PDF document text
    • http://usesalle.xyz/how_to_program_a_genie_model_3055vavaf.pdfIn PDF document text
    • http://korogesubelokut.mypressonline.com/lexoguribowukojuwesofux.pdfIn PDF document text
    • http://zimezobot.getenjoyment.net/madabedababarorobun.pdfIn PDF document text
    • http://startbastar.online/49582894911ki1x4.pdfIn PDF document text
    • http://reactivaperu-2020.com/fifty_shades_freed_movie_actorsszffg.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://gizixaxeviduf.myartsonline.com/88866293775.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ba16ee2a-d59f-414d-acdb-3b3ddff37623/beethoven_piano_sonata_14.pdfIn PDF document text
    • https://s3.amazonaws.com/fisulefajow/48454649828.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9c79ffbb-437f-4ecf-b963-93b3a188862f/the_magic_flute_song_lyrics.pdfIn PDF document text
    • https://9387bd13-3746-4408-b474-2867f26e464d.filesusr.com/ugd/ace02d_db48f9efcca8400a8f03b2ced0c7f418.pdf?index=trueIn PDF document text
    • https://091a8774-b5bd-4fb7-8799-8d1ca0ca44ad.filesusr.com/ugd/8716ab_4715ca50825c4fd0bfd6027a29080f20.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2859fbe-eae2-4d61-9e09-b4645f65ed80/ridgid_mobile_air_compressor_manual.pdfIn PDF document text
    • https://01d7ec8a-e38e-4e33-8c76-1be31754498b.filesusr.com/ugd/24d943_e8e51feb05404724af01654296978229.pdf?index=trueIn PDF document text
    • https://8dfd47f4-e591-4377-92a3-bdbf91d41e5a.filesusr.com/ugd/a58b01_5b139a6a26cf49919f71b78f16579c30.pdf?index=trueIn PDF document text
    • https://29159626-56e2-4eb2-a8c1-eb081f451e44.filesusr.com/ugd/a58502_09b43ce787d34f05955732e3447c44e4.pdf?index=trueIn PDF document text
    • https://caf0f927-206f-4b4e-aa34-0dd3da53679b.filesusr.com/ugd/83d902_101470c36fde445da2d886eb73f653af.pdf?index=trueIn PDF document text
    • https://0cc2a7d0-6f33-4335-9ec9-554d9418487e.filesusr.com/ugd/cb4a18_e2c21a8be3424114a8aa0b3f34c0caf8.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/650ddc6f-c2a5-4e82-a32d-bc7f3d8250c1/what_exactly_is_a_callus.pdfIn PDF document text
    • https://8d94caac-80d5-4f6d-a73a-04ed47837dc1.filesusr.com/ugd/585b1d_6443d398874f4149a31e03e3952b21b0.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/leributafa/gw2_ambrite_weapon_collection_guide.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce88.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCE88 5268 bytes
SHA-256: 0af91da302eb44f4e030e99483696b01a6ddba9e8d819a6052876ae62973fc2a

Open this report in the interactive analyzer, or submit your own file for analysis.