Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9ad5ebb3d44213c…

MALICIOUS

PDF

149.9 KB Created: 2021-04-25 19:27:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: d13ba85a2dbbd55ee8391913470e2a12 SHA-1: ebc8e50799115fcef30ce25c0aa99bc9cb56ff0e SHA-256: c9ad5ebb3d44213cebbb8eab583f467322974480682c7fa7633c2e8ae0910015
126 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs and is flagged as a link farm on disposable hosting, indicating a phishing or redirection attempt. The ML classifier and ClamAV detection strongly suggest malicious intent, likely to direct users to malicious sites for further exploitation or credential harvesting. No scripts were extracted, but the PDF structure itself is indicative of a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8870

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=buddha+and+his+dhamma+book+in+english+pdf PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4451021/normal_5ffbfa251c2e5.pdfIn PDF document text
    • https://cdn.sqhk.co/nuroteditu/aAjgpjb/99932239521.pdfIn PDF document text
    • http://savupubib.22web.org/boxelokobasezijigosa.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393506/normal_606cc78967a54.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393204/normal_60214d73b8897.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4469841/normal_5fd3a13c60845.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481400/normal_60244514c60e3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448538/normal_6066b2e4e93cc.pdfIn PDF document text
    • http://watertea.space/74532302506zjhdf.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4426545/normal_5fe2f6fb2ca66.pdfIn PDF document text
    • https://cdn.sqhk.co/jupemuwaze/2rwjeji/53634106510.pdfIn PDF document text
    • https://cdn.sqhk.co/fulaxanew/LCjhjdj/nipave.pdfIn PDF document text
    • https://cdn.sqhk.co/gufezitaxato/jc6T2hc/91603839474.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403537/normal_60694b0e7c250.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451352/normal_60164b7b11ec6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4425515/normal_5fe79b6583aac.pdfIn PDF document text
    • https://cdn.sqhk.co/xiroxozalal/fMh04ib/52317719424.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4453115/normal_5fe814a06825f.pdfIn PDF document text
    • http://importants.space/xizalawan7jcg1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4485569/normal_6061a0b4baa2a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4500001/normal_60160805b98ef.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://www.fontrix.comhttp://www.nhncorp.comIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://gapevizatijaba.epizy.com/75031278926.pdfIn PDF document text
    • http://xubudexev.epizy.com/dinubagiwobole.pdfIn PDF document text
    • http://levaduru.epizy.com/tikopadus.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015e33.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15E33 7356 bytes
SHA-256: 281e6e369651d2ad5b48e55dc69d0795d115963cd70ce5dffc8cbed1df6c385d
font_01_sfnt_off000170fa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x170FA 4552 bytes
SHA-256: e04c39cbfe15b127377b2b572e455d8fa542d60f7ddf35dd5ed66d4db88b2c53
font_02_sfnt_off000180f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x180F9 5612 bytes
SHA-256: 01e6432e32f1d7738df83ead30a7f86d9259906b9a1adaedcc2f7a9d3f3bfda3
font_03_sfnt_off000193ac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x193AC 6352 bytes
SHA-256: df999a891d5d2d55721d8d95a410e06c01e8a896c4561724ec35f2c388ad6844
font_04_sfnt_off0001a2ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A2FF 3700 bytes
SHA-256: 25695ad4c9f92ed7ed71ef5652a3613d1327ded6eb8ecb56aadc3fe8a7bccea4
font_05_sfnt_off0001ae86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1AE86 1796 bytes
SHA-256: bdc4f2962fe5d2ea523e8d3c4353536ba858f8cf5bf2dc76ffaf6454cebd095e
font_06_sfnt_off0001b74b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B74B 22192 bytes
SHA-256: f12fa68bbbefcf8dd336e8bf2347684e792fd21c1fe78b284c9752bf92ded57b
font_07_sfnt_off0001f8d8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F8D8 19168 bytes
SHA-256: 3b278def2ed0ccfbe86ad00d3d4622354a48cc594b58e8b784e4cd8049b6e014
font_08_sfnt_off000218ca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x218CA 2852 bytes
SHA-256: bad16dacdff0d1fad71ff172d397782df72ccb744d3da57f12fa76ec7327023d
font_09_sfnt_off0002242a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2242A 4644 bytes
SHA-256: b520c195d808e8a6a31ecc889eb6e0641b29eb41ff58e635de020faa30d2633a
font_10_sfnt_off000234cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x234CC 6492 bytes
SHA-256: 336abdb4257fc3e833b8b794f04dcb1c763e128f3bcbac6cbb66c389a7e4e245

Open this report in the interactive analyzer, or submit your own file for analysis.