Malicious PDF — malware analysis report

Static analysis result for SHA-256 e610c4b7a250816e…

MALICIOUS

PDF

64.3 KB Created: 2021-03-25 02:53:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: 57117c6af51b9781755e22fd86644068 SHA-1: d5bc1a0860ef66f4b8d4a32aeb79ae8a208502a5 SHA-256: e610c4b7a250816e62f2ce4e0efc7f9cf053396cae3d31ed9fbba90e6ca3b9a7
242 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF document contains a large number of links to external websites, many of which are hosted on disposable domains and appear to be part of a link farm designed to manipulate search engine results. One critical heuristic indicates a direct link to known malicious redirector infrastructure. The document's content, though heavily obfuscated, suggests a lure related to setting up a camera, likely to trick users into visiting malicious sites for phishing or malware downloads. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9823

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=how+to+set+up+swann+camera+on+computer In PDF document text
    • http://nukatisorifi.iblogger.org/proteccionismo_y_librecambismo.pdfIn PDF document text
    • https://lugulake.weebly.com/uploads/1/3/4/7/134763312/dasoxoveverivewiw.pdfIn PDF document text
    • https://cdn.sqhk.co/dulunukosep/jhijja0/87005286607.pdfIn PDF document text
    • https://wilepera.weebly.com/uploads/1/3/0/7/130740018/c4fda43cab512c8.pdfIn PDF document text
    • https://cdn.sqhk.co/jubawiwa/GnIihCT/mepilada.pdfIn PDF document text
    • http://pimazisiperej.iblogger.org/53674543449.pdfIn PDF document text
    • http://bufizuz.22web.org/dixixozoxax.pdfIn PDF document text
    • https://cdn.sqhk.co/vasinabew/jeGicCj/elder_sign_omens_apk_espanol_gratis.pdfIn PDF document text
    • https://cdn.sqhk.co/kewawukufiju/ji7ZgcV/among_us_stickers_full_hacked_version.pdfIn PDF document text
    • https://cdn.sqhk.co/fimegasaz/iggid4k/92974292252.pdfIn PDF document text
    • https://gadiziwit.weebly.com/uploads/1/3/1/4/131406086/2266101.pdfIn PDF document text
    • https://xewixubigikuj.weebly.com/uploads/1/3/4/8/134892453/6410770.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://d54d55f4-8004-4613-9f19-7b96cbed0ae7.filesusr.com/ugd/ce4b32_a3baee52091841f8994c8ca0d33b0d89.pdf?index=trueIn PDF document text
    • https://cdfb6f36-dde2-4af5-b3b7-55ff39976061.filesusr.com/ugd/c6ac46_452296bab12c42848faa586ffd611b27.pdf?index=trueIn PDF document text
    • https://0f8fedcd-12c0-4678-86f8-e2bff7269121.filesusr.com/ugd/70e7d4_94a55b5cb3044d898888d5e11995a9be.pdf?index=trueIn PDF document text
    • https://e222b685-7c7f-4cee-b050-218328c89257.filesusr.com/ugd/c0232f_a271c7dbc25840bfa84f1fa5996f916b.pdf?index=trueIn PDF document text
    • https://c7972686-9310-4d97-8ac3-15e828887225.filesusr.com/ugd/8a419d_059bed12b6be496abc5ea4435cfb96cb.pdf?index=trueIn PDF document text
    • http://lagorov.rf.gd/33089866430.pdfIn PDF document text
    • https://s3.amazonaws.com/dorulusof/79287814179.pdfIn PDF document text
    • https://8ed7ad90-0d0e-491f-9c15-1f6cd5a61d18.filesusr.com/ugd/f1a804_46eeb6d8b1874f28ad10cfe32de40961.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/bezorito/cctv_camera_full_form.pdfIn PDF document text
    • http://murobalebijuge.rf.gd/pillars_of_the_earth_book_2_achievement_guide.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cced.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCCED 5100 bytes
SHA-256: 94ee28968139904ee34472b52134f409acdefbfa667f9b3cdff601886689605f
font_01_sfnt_off0000de3f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE3F 10508 bytes
SHA-256: 4c11207066aa324dcdcf1f1f634e75977a6376f69efc5aeb9702f52ca75e94b0

Open this report in the interactive analyzer, or submit your own file for analysis.