Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccc2caf9b56982e3…

MALICIOUS

PDF

81.4 KB Created: 2021-06-01 04:31:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13
MD5: 5a425f03d08f6b4722ebfd69e6667ee7 SHA-1: 61ae67b8c0dff80e31da552da528c1a32eb435e7 SHA-256: ccc2caf9b56982e3897bc43ebae038fc08d73ba260d6e455677bf92590431c2b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file contains a large number of external links, many of which point to disposable hosting services. The document body, though heavily corrupted, suggests a lure related to 'integrated chinese lesson 7 dialogue 2 workbook answers'. The ClamAV detection and heuristic firings indicate this is a phishing or SEO spam campaign designed to drive traffic to malicious or low-reputation websites.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3365

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/pbw?utm_term=integrated+chinese+lesson+7+dialogue+2+workbook+answers PDF link annotation
    • https://rakuwogu.weebly.com/uploads/1/3/4/8/134858672/wosudatepo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4480595/normal_602c905adb537.pdfIn PDF document text
    • https://tapebosipufadiz.weebly.com/uploads/1/3/4/3/134366988/funizugigoni_tomazazofubeper_foluxakumi_tezadufovokaj.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481520/normal_601f7e1d170b4.pdfIn PDF document text
    • https://kavivapepegag.weebly.com/uploads/1/3/4/2/134235540/2206784.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368735/normal_5fd9823656801.pdfIn PDF document text
    • https://gunimumatepatu.weebly.com/uploads/1/3/5/3/135313318/278c94f79.pdfIn PDF document text
    • https://kifewuwumezoduk.weebly.com/uploads/1/3/4/7/134740170/9068458.pdfIn PDF document text
    • https://wegakerovosa.weebly.com/uploads/1/3/0/8/130873826/3f10ee7747c75f0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417827/normal_603a8c0ccee77.pdfIn PDF document text
    • https://kujuxase.weebly.com/uploads/1/3/4/5/134584075/moxivakig.pdfIn PDF document text
    • https://jatuxifukonexe.weebly.com/uploads/1/3/4/4/134469885/1719797.pdfIn PDF document text
    • https://dexugagemer.weebly.com/uploads/1/3/4/7/134715037/88325.pdfIn PDF document text
    • https://kololeranazi.weebly.com/uploads/1/3/4/5/134583506/3779406.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://kiletejude.pbworks.com/f/nimejulodisiwena.pdfIn PDF document text
    • http://bojirakaj.pbworks.com/f/sportcraft_electronic_dartboard_instructions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bde7f541-eeba-40bc-b6b7-34dd261ee134/where_to_buy_extra_long_jumper_cables.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8b4935d6-4559-4e7e-9098-921019a30c07/how_to_develop_intuition.pdfIn PDF document text
    • http://lugozamuxika.pbworks.com/f/20618119911.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cf4511f7-df0e-413d-a78e-d459c4989233/suxuxebixezajaxa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8c6d9d6f-0525-4a28-b90d-652b137e9542/jomuzomudijimojanejur.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/297571e2-fae9-47e8-a12e-58b369c8b840/70562015131.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f6422772-53e6-4275-a4ce-f44be8124bef/martin_heidegger_what_is_metaphysics_summary.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f6ff4ab4-41d8-4aca-8246-6c8874a1ddc4/31982694900.pdfIn PDF document text
    • http://kefimazusob.pbworks.com/w/file/fetch/144424929/suwevapob.pdfIn PDF document text
    • http://watusuxipidu.pbworks.com/w/file/fetch/144424128/98168128912.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e6e2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE6E2 17328 bytes
SHA-256: 987519d437761a619670ee76faa30a06da7a2d898936e99bb4ae5a11b23cb64a
font_01_sfnt_off00011dd2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11DD2 5644 bytes
SHA-256: 1fde6210a9fa7e5760e28766a30baa8c3dcf328305949fe50bf9d5689c7b2868

Open this report in the interactive analyzer, or submit your own file for analysis.