Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4d34833d2ba280a…

MALICIOUS

PDF

72.7 KB Created: 2021-06-06 00:49:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 31be01d0f5a58686e32eb1b763b9701f SHA-1: 7249bc3a18d7f25c41ea8bf3d42a440e5029ae5a SHA-256: e4d34833d2ba280a92c52ec16bb7729bc6d288fd1fb0f0289ada2769e423cae6
186 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/pbw?utm_term=how+to+take+off+bassinet+cover PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4390680/normal_60526d61eebce.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4450347/normal_5fdd94151d32c.pdfIn PDF document text
    • https://kibewuzogoluwiw.weebly.com/uploads/1/3/1/6/131636689/2361529.pdfIn PDF document text
    • https://xusuzipurojovup.weebly.com/uploads/1/3/4/3/134325257/2929800.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4387929/normal_5fd048752eb3f.pdfIn PDF document text
    • https://rutepoger.weebly.com/uploads/1/3/4/5/134509459/gebobesuwikitefogemo.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4405440/normal_5fdf43585c2c6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/efbc6e83-7152-49af-b2c7-ce12b2de62d7/mogatebug.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eb9278d7-981f-4e7f-a033-d57b2e1e72b1/1618150330.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8a183217-18f2-4e63-ad25-cd4976803491/zatoridulazijepufa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cfcbb882-f726-44e0-86c4-8c4336e34f86/57688606129.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/caeaf5fd-b777-4985-8feb-5ff514cf6868/gepaxim.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2715746-c8ae-4c64-bc06-02a12bf6ce46/is_arbys_gyro_good.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8d921513-fa8e-4a69-8525-c0b38644db62/zagegajesafibabomub.pdfIn PDF document text
    • http://lipadune.pbworks.com/w/file/fetch/144578256/83966109762.pdfIn PDF document text
    • http://larabefejaji.pbworks.com/f/54562511790.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/092fce8b-760a-4901-b3cc-bae14da30428/jump_rope_for_heart_prizes.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dda7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDDA7 5160 bytes
SHA-256: 93e4882e40693b563eefdf3a748471465c329a9b72445f235960fe6661fc5c83
font_01_sfnt_off0000ef63.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF63 11088 bytes
SHA-256: f585d0e9f17d35526b8ea02852b9b8b0ab9ec60806c590bc6946594bcfd402d9

Open this report in the interactive analyzer, or submit your own file for analysis.