Malicious PDF — malware analysis report

Static analysis result for SHA-256 df64aafef4acc138…

MALICIOUS

PDF

66.5 KB Created: 2021-06-07 02:48:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 3868b46708f87cb30690903747a8db58 SHA-1: da593851c51fd2c1697b77d4525021c7b7bdeaa1 SHA-256: df64aafef4acc1385fb770be5cad9d6d5efa8f7b3db7589bca63495902087dc1
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm designed to redirect users to potentially malicious content or for SEO manipulation. The primary URL observed is https://infrive.ru/pbw?utm_term=why+is+my+crackle+not+crackling, which is likely part of this redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9263

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/pbw?utm_term=why+is+my+crackle+not+crackling PDF link annotation
    • https://mubasaji.weebly.com/uploads/1/3/4/8/134846322/bitofazozasod.pdfIn PDF document text
    • https://temerineg.weebly.com/uploads/1/3/0/9/130969052/nukeda_wewiliniwagigu.pdfIn PDF document text
    • https://wokozizexufam.weebly.com/uploads/1/3/4/2/134234926/kifogitaf_sivofabutixive.pdfIn PDF document text
    • https://wajadotufa.weebly.com/uploads/1/3/1/8/131857144/72ae122.pdfIn PDF document text
    • https://nopirirog.weebly.com/uploads/1/3/4/2/134234714/4009380.pdfIn PDF document text
    • https://susuwiwonilo.weebly.com/uploads/1/3/1/6/131606006/5f6a323.pdfIn PDF document text
    • https://jaserasozupog.weebly.com/uploads/1/3/1/4/131454215/a4fdb4b63d5.pdfIn PDF document text
    • https://palekanino.weebly.com/uploads/1/3/4/3/134372766/munobakupogomej_jovoguximul_perovudipik.pdfIn PDF document text
    • https://botapafejerevim.weebly.com/uploads/1/3/5/3/135317081/kisapaziweladi.pdfIn PDF document text
    • https://tijezelaxupoki.weebly.com/uploads/1/3/5/3/135340387/nimetonenoxefal.pdfIn PDF document text
    • https://rinejadujasale.weebly.com/uploads/1/3/0/7/130775071/701a95a8e4c3d81.pdfIn PDF document text
    • https://labimatejodo.weebly.com/uploads/1/3/2/3/132302966/f0d1a7fc7.pdfIn PDF document text
    • http://xugilip.pbworks.com/w/file/fetch/144528084/29074639921.pdfIn PDF document text
    • http://sepaxebi.pbworks.com/w/file/fetch/144414048/negowujuxuxenarapageveza.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/52a7dc2f-9a44-435b-ba29-d6b77403b0f7/43812230321.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/23283c54-bd04-4e28-93eb-11820e73d51d/tomema.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/be03bfa5-5f58-42cc-ac99-53e605f5ffa3/daxipazuxo.pdfIn PDF document text
    • http://ropotupi.pbworks.com/f/25876954211.pdfIn PDF document text
    • http://sorawako.pbworks.com/f/tasasepetudukosutusajeful.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/251528cc-d90f-4a51-b26b-a191c9a9ef98/gemasuxifisel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/37a3a44c-1c24-46a8-9b0c-8764f6a2cd66/juwegadoni.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8bd28744-ffdd-4386-950b-5a13cf3ef75b/how_to_protect_tree_trunk.pdfIn PDF document text
    • http://rixepal.pbworks.com/w/file/fetch/144520668/how_do_i_enable_chrome_flags_on_android.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1feb85cc-b3e8-4190-9c8a-c10ba004dff2/object_pascal_language_guide.pdfIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f92a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF92A 3552 bytes
SHA-256: 4ecc45fd0b3a5b103903e724f504164500c2ccb69fbeadf20ef63a6ba849a579

Open this report in the interactive analyzer, or submit your own file for analysis.