Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0d33b11d4ebfcf7…

MALICIOUS

PDF

76.1 KB Created: 2021-06-04 07:40:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 2024b8f0a94a028281740a5478355d84 SHA-1: dceb92444a173967bb275128372a8098fc134f51 SHA-256: d0d33b11d4ebfcf70919ccc1b62bf4ea1989660151e7b754be53d873f340cc75
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and ML classifiers, indicating a phishing or trojan threat. It contains a large number of external links, many hosted on disposable domains, suggesting it's part of a link farm designed to redirect users to malicious content. The document body, though heavily obfuscated, contains metadata related to 'best practices for cold calling', which could be a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5347

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/pbw?utm_term=best+practices+for+cold+calling PDF link annotation
    • https://napaxivate.weebly.com/uploads/1/3/0/8/130813999/kozobubuvomog_mopim.pdfIn PDF document text
    • https://nusavudusegi.weebly.com/uploads/1/3/4/4/134444144/muxakew-teligibokeve.pdfIn PDF document text
    • https://penotogales.weebly.com/uploads/1/3/1/4/131438478/pazenedibudobon.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415334/normal_6067a59ccec01.pdfIn PDF document text
    • https://parafobosa.weebly.com/uploads/1/3/1/8/131857791/c6b42ce49e.pdfIn PDF document text
    • https://puvapimasekasu.weebly.com/uploads/1/3/4/3/134398754/misoxefem.pdfIn PDF document text
    • https://difegalit.weebly.com/uploads/1/3/2/6/132681294/bibujapofunajuxen.pdfIn PDF document text
    • https://lesinagin.weebly.com/uploads/1/3/1/4/131454304/5d340e.pdfIn PDF document text
    • https://sibuvavaxo.weebly.com/uploads/1/3/2/6/132681946/5101656.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4403689/normal_5fc6583cf076c.pdfIn PDF document text
    • https://lijotabele.weebly.com/uploads/1/3/4/0/134016876/5f864c3789f03f4.pdfIn PDF document text
    • https://dawitomow.weebly.com/uploads/1/3/4/4/134439013/16261ca0e0.pdfIn PDF document text
    • https://mikudone.weebly.com/uploads/1/3/4/3/134370159/e8d7a5e23e65d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4422163/normal_601ca970ef598.pdfIn PDF document text
    • https://resojuwow.weebly.com/uploads/1/3/4/3/134351964/b09038cfb.pdfIn PDF document text
    • https://gusemotasejodab.weebly.com/uploads/1/3/2/7/132741535/puzamemojiwom.pdfIn PDF document text
    • https://powipawi.weebly.com/uploads/1/3/4/3/134313445/tireni_zarul.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385020/normal_601ca28a15425.pdfIn PDF document text
    • https://gijudopit.weebly.com/uploads/1/3/5/3/135321477/kusanowa-xepajixapifowir.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://gibudufu.pbworks.com/f/pokemon_go_hack_apk_ios.pdfIn PDF document text
    • http://risuxujuvu.pbworks.com/w/file/fetch/144519999/78499459042.pdfIn PDF document text
    • http://lagawiwefe.pbworks.com/f/manual_de_transmision_automatica_722.6.pdfIn PDF document text
    • http://wuvebag.pbworks.com/f/financial_statement_analysis_and_security_valuation_5e_by_penman_s.h.pdfIn PDF document text
    • http://wamotarirup.pbworks.com/f/how_to_cite_two_footnotes_in_one_sentence.pdfIn PDF document text
    • http://vazexetuv.pbworks.com/f/how_to_find_atomic_mass_of_magnesium.pdfIn PDF document text
    • http://negovijalulu.pbworks.com/f/free_fillable_printable_family_tree_template.pdfIn PDF document text
    • http://zosajivapesi.pbworks.com/w/file/fetch/144541542/muburijebuxebijexa.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011504.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11504 5372 bytes
SHA-256: caadd844c5f113eef258363589b18f2d33dce3616ae831220d87fb16d1b79823

Open this report in the interactive analyzer, or submit your own file for analysis.