Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7d059f74452caf6…

MALICIOUS

PDF

81.8 KB Created: 2021-03-09 09:01:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: 4278ea983c5029a7555fc4e0f4f73f2d SHA-1: a850f705fe807a487dca306450b9bddc84fd4e2d SHA-256: c7d059f74452caf60a76f6d42d5bd8b9edf5d3fc2653a4730a0987149f102f99
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9014

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/award?keyword=brown+bear+eric+carle+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4471996/normal_5fd6986227c1c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4387715/normal_5ff06d155e170.pdfIn PDF document text
    • https://cdn.sqhk.co/janezewufaj/iBhbjcK/farm_town_cartoon_story_mod.pdfIn PDF document text
    • https://cdn.sqhk.co/vujuzira/dBxkHhh/bapizeba.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413867/normal_5fd111dbaf2c1.pdfIn PDF document text
    • https://cdn.sqhk.co/viwiratoposu/jbIjehb/star_wars_x_wing_game_mat.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/fa2f60c3-e426-4fe5-be8c-30cfb31f697d/how_to_turn_off_a_heat_n_glo_fireplace.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2730369-f47c-4c8c-8e2d-08b4f42aef11/vygotskys_zone_of_proximal_development_in_the_classroom.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1bde7896-a9a2-4a2f-b4c6-6e96b6211dea/xovebewudetizago.pdfIn PDF document text
    • https://8271b8e8-1520-4b18-8785-2fafc8cd33e6.filesusr.com/ugd/efc97f_3985272c5dcf40b8bdadf756ec440c16.pdf?index=trueIn PDF document text
    • https://d451e762-8e00-4155-9971-9512d28d2528.filesusr.com/ugd/b52961_21fb603a8b8d4c9488c7cb50762d6a25.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f986a22-af9c-48df-89ad-a4817f047ffd/96221792340.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f726d01e-0b13-44ea-b1da-203576842ebb/91457492663.pdfIn PDF document text
    • https://bf68d742-fb98-404a-ab47-1dcf24f7df52.filesusr.com/ugd/83e7fd_d2be13a2a37c41c8a0afe7a41ad862fb.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5ff6148a-9e78-4733-ba12-5b671b757f2d/tovabolor.pdfIn PDF document text
    • https://6998e30b-c911-4113-ab34-4c15204891c7.filesusr.com/ugd/429b25_ec8fd48b447541789bd48a10a535b6d5.pdf?index=trueIn PDF document text
    • https://c4a5d104-04f9-44e6-b03f-1f5edac3680f.filesusr.com/ugd/f23921_1073ac731df542bda5eff4587cca92a9.pdf?index=trueIn PDF document text
    • https://02796127-04ec-4c85-b270-c6f7310ebb18.filesusr.com/ugd/ce0e6d_33a831e6214d46698e0f2c4831e0b61d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/8dc63064-97bf-438e-aaa1-bb544a021b7f/complete_list_of_grimms_fairy_tales.pdfIn PDF document text
    • https://5637a596-61ce-4e67-8953-8fd9cb84b940.filesusr.com/ugd/c20ea7_fee65dd00a8043edaac60299950e0907.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8fa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE8FA 2864 bytes
SHA-256: 39fa38c428f8958a8c05e779ab645d6ebe39a2f9addb277e83d5d46358a9c997
font_01_sfnt_off0000f32d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF32D 5252 bytes
SHA-256: 9763737635145ad58486521bac9200a89e5667b3e804e0feaa921326d32f8427
font_02_sfnt_off0001052b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1052B 15284 bytes
SHA-256: 18b8953db4bfc8a41f3068e5080f3dc0d9821b09cf28c8292cb0b23959661687
font_03_sfnt_off000134be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x134BE 16092 bytes
SHA-256: ea75db71c9df7250347a03039f742fcd189f5fc3f08964e696816fa8b5227073

Open this report in the interactive analyzer, or submit your own file for analysis.