Malicious PDF — malware analysis report

Static analysis result for SHA-256 e1c16e8c8cb10c04…

MALICIOUS

PDF

90.2 KB Created: 2021-03-24 07:35:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-01
MD5: f7d22bd5ba5e4f6e3baaf320f22f77a1 SHA-1: f0774ec9a5b95a056e1a066ea026015264e5604b SHA-256: e1c16e8c8cb10c04667767e4e235fa04affdac279b604a064def2479e851dc40
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6278

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=pdf+notes+on+child+development+and+pedagogy PDF link annotation
    • https://kurevewadojig.weebly.com/uploads/1/3/1/4/131437207/fogolusabej-fofubujikeluna.pdfIn PDF document text
    • http://vipadobotisituz.mygamesonline.org/97275479344.pdfIn PDF document text
    • https://weziriditovi.weebly.com/uploads/1/3/4/1/134108838/ledaxewaf_bozasufuzim_gatunilavi_faruxidokevigab.pdfIn PDF document text
    • http://gazajujana.mygamesonline.org/zupepadixovubumo.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/9671f2d4-fcbe-458f-9eca-f28931c89ddc/ranger_bass_boats_for_sale_used.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae822012-f0bf-43af-bd35-c61b57bed5a5/38177392459.pdfIn PDF document text
    • http://wijogural.epizy.com/xodabazasoxixog.pdfIn PDF document text
    • https://467375c7-a7a6-4806-a9b7-892c2a528f89.filesusr.com/ugd/911174_65ab9af93b924ae8b87e34c468cf4761.pdf?index=trueIn PDF document text
    • http://xijevireral.rf.gd/will_baldurs_gate_3_be_on_xbox_series_x.pdfIn PDF document text
    • https://de99c131-68bf-4271-bcef-cda292486844.filesusr.com/ugd/f5892c_78395c6c45f640688ad80c2591ee9497.pdf?index=trueIn PDF document text
    • http://dekubovuvupo.epizy.com/darovuroxajopesemejujam.pdfIn PDF document text
    • https://667b589a-70dd-4c78-a03f-47f6e9f07b1f.filesusr.com/ugd/db80c5_165000a89a5646d5b913b2d23d31169a.pdf?index=trueIn PDF document text
    • https://3ecb585b-79b8-4502-8567-d9a17299c5c1.filesusr.com/ugd/4b874d_72b5b1c2136f4c28a3e06ff367b10e79.pdf?index=trueIn PDF document text
    • http://kevawiposiwa.rf.gd/scary_butcher_3d_game.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/647081b5-87ea-4a23-a55e-73b97658c562/zamebuzawarotagevulezis.pdfIn PDF document text
    • http://mebagazedovozep.epizy.com/16673036435.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a02c93ad-36e5-4620-9234-d45996d04fa4/conectores_ingles_espaol_lista.pdfIn PDF document text
    • http://tobesonev.rf.gd/32511238682.pdfIn PDF document text
    • http://fowimifefezujo.myartsonline.com/wuxemijuve.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fceb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFCEB 5636 bytes
SHA-256: aa7856000c0909f85bdd1f3827e5c73e666dcfd3a64b21a2ab291b3decb1d0e5
font_01_sfnt_off00011005.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11005 3720 bytes
SHA-256: b91f3c26f37c28538ed09035cbea6f9221827f1e30b50c452f08cc820bcc167b
font_02_sfnt_off00011b60.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11B60 1800 bytes
SHA-256: e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d
font_03_sfnt_off000123ee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x123EE 11156 bytes
SHA-256: 45a305031c1093c38f83b3152e90cb52ffa714454827243b3ab292d71d0511bf
font_04_sfnt_off000149fc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x149FC 16068 bytes
SHA-256: 2e6efdb6ec6b06881b73571a6dc11127da1b4fc0f11d045bd7c2e12cbfc92ea6

Open this report in the interactive analyzer, or submit your own file for analysis.