Malicious PDF — malware analysis report

Static analysis result for SHA-256 f22552cdade8fc5d…

MALICIOUS

PDF

70.0 KB Created: 2021-05-04 07:44:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: 9b55af15b5ec55ae542ff64a209c2b40 SHA-1: 85aed82659c9c19b6df7ef6f24bfcee8428802b9 SHA-256: f22552cdade8fc5dbb33bbec48e7a02a8c106731427260a973b922f39bed0afd
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It functions as a link farm, containing numerous external URLs, with one prominent URL pointing to 'fokemale.ru'. The presence of a link farm suggests an attempt to distribute phishing content or redirect users to malicious sites, aligning with the Spearphishing Attachment technique.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9901

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/strik?utm_term=hot+springs+sovereign+spa+price PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4445320/normal_602e4b1946974.pdfIn PDF document text
    • https://cdn.sqhk.co/vitimosugu/hc4Mhcj/gajexojaruligozonudife.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4374978/normal_5fffb20cdb1a0.pdfIn PDF document text
    • https://cdn.sqhk.co/dajebala/hgSHngc/heart_pump_model_project.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4460966/normal_6004b7efc7a38.pdfIn PDF document text
    • https://cdn.sqhk.co/xoxamomajil/geiagiU/defina.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481422/normal_606a24ddb9208.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4425504/normal_5fdbe0c3c9d77.pdfIn PDF document text
    • https://cdn.sqhk.co/pigalixow/hdAoXjj/sixeduzewisu.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446915/normal_601473b59d02e.pdfIn PDF document text
    • https://cdn.sqhk.co/logubaxe/afhglUl/oscar_awards_2017.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4501029/normal_5ff600c8e51ed.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://f608bf75-187c-4b28-9621-af925c05c2b6.filesusr.com/ugd/05e3ad_5f0c35b2232545b2bc7778d3fb6ece1e.pdf?index=trueIn PDF document text
    • https://8c285b57-3156-47ce-881b-df665acc117b.filesusr.com/ugd/8d46c2_cced4892fffe42f7a69523d5f8495e32.pdf?index=trueIn PDF document text
    • https://1e16da7b-5b4f-4122-a3c4-5c88c9d97cf7.filesusr.com/ugd/83f04e_5376d42fdc6f496ea8bfb6b11dd434d1.pdf?index=trueIn PDF document text
    • https://bef89f6e-6323-4b84-ad9d-a44490bfcc4f.filesusr.com/ugd/96768c_790be3e78d91454084e2bdb9690ca8f9.pdf?index=trueIn PDF document text
    • https://58960a86-a3f4-42d8-866e-ee2cf32068b1.filesusr.com/ugd/1ad962_5a1cec493ae140f6b63f8e278ed6f793.pdf?index=trueIn PDF document text
    • https://ba9dc33f-61c2-415e-8598-c57272458a21.filesusr.com/ugd/c05727_6c407e4b85e345278ba4a04b147ad548.pdf?index=trueIn PDF document text
    • https://39c10a3a-92c6-412a-a1bb-b8a1fc48fbc4.filesusr.com/ugd/259099_e4fe49bf0cb140bbb3eb968ea1e0370d.pdf?index=trueIn PDF document text
    • https://911f1565-2faa-4874-b261-330d521e7362.filesusr.com/ugd/f46427_b73a0a5fc4f44e1591faab831dcea36c.pdf?index=trueIn PDF document text
    • https://13fad4bf-7224-44b3-802b-16842e97d241.filesusr.com/ugd/b14664_ee96ea00b6c6419ca21572d181958763.pdf?index=trueIn PDF document text
    • https://f0198b83-f3fe-41b4-8315-bacd7eabb238.filesusr.com/ugd/2b3f46_d2948f34d2214b12afe2d312e32e2796.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e38e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE38E 5088 bytes
SHA-256: 8ad36fd458914fd21e49f794de7041b5604ddc5f23c1e3408e3324d57fa506d0
font_01_sfnt_off0000f4f5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF4F5 12012 bytes
SHA-256: d47e06dbae730c256141fbc0b52819459c680e6b2ed1d105129ba52552ae91d6

Open this report in the interactive analyzer, or submit your own file for analysis.