Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3dfc097764976e0…

MALICIOUS

PDF

50.6 KB Created: 2021-04-05 02:08:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: 62ba0faa6b58aa48cd8f9b8d6663fd55 SHA-1: ee55ddc63dc8090255cb841e914b6e168e19677a SHA-256: f3dfc097764976e0c03038d2dbf0089144164d05978ca4fc523321f2af3d7030
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8343

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/aws?utm_term=engineering+mechanics+pdf+notes PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4471273/normal_600f43328df6f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4447095/normal_604496fb9f191.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4457272/normal_5feb8e5ea5852.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4490918/normal_60114a3211e5e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4426261/normal_604bc76aedd22.pdfIn PDF document text
    • https://4e16d9da-0927-4957-8a4e-4544605d6055.filesusr.com/ugd/d7e550_2e320700d1984eb6b495f9abf6aa58fa.pdf?index=trueIn PDF document text
    • https://510adc33-753b-44c0-977e-8d34da8fcdd4.filesusr.com/ugd/5f4192_ec5cd9426b7549b2b44133a81245055a.pdf?index=trueIn PDF document text
    • https://ac65beef-1c88-4b01-a948-251493ed82f2.filesusr.com/ugd/09857b_895c86b927084d689d1b84a9c1e7faf0.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/11dd977b-a348-46be-b46b-90a082423956/95230794001.pdfIn PDF document text
    • https://467375c7-a7a6-4806-a9b7-892c2a528f89.filesusr.com/ugd/911174_6829115120dc4168aa7498b67e11e59e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/78cd610b-36bc-4273-95aa-95f570c5f406/aim_csaire_discourse_on_colonialism_summary.pdfIn PDF document text
    • https://69a21580-3c80-4f81-8097-1ec0bc18215d.filesusr.com/ugd/bd7df1_be21144523894ea991e30ce78b50fb12.pdf?index=trueIn PDF document text
    • https://78e27e65-9996-4239-a63d-7a21722db537.filesusr.com/ugd/03f576_3b4f22623c754173bd7c699616bfe4c4.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/638e582a-3836-46b5-928b-be46e52b12f4/95516357949.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2862bbd4-5f12-42bd-a6e5-0d53811adeed/iso_internal_auditor_training_ppt.pdfIn PDF document text
    • https://99ca13e2-8bf0-45b2-93fa-bbfb519f101f.filesusr.com/ugd/5392be_99b883bde6664f38bd6138e4ae012ccd.pdf?index=trueIn PDF document text
    • https://98e80eac-0673-4bf9-a3de-4132461903b3.filesusr.com/ugd/1acd69_abb2381bdf6d4867bf47c7e1a09f6ea1.pdf?index=trueIn PDF document text
    • https://f07eb630-23ff-4298-a1df-d7940f1ba2dc.filesusr.com/ugd/097a5b_a43a6ea307aa4c70a92de3b4358c315d.pdf?index=trueIn PDF document text
    • https://e8ceee85-86bf-4804-80ab-d7a1511cbcf5.filesusr.com/ugd/38650a_46954b154bb34af59579aa58cc944760.pdf?index=trueIn PDF document text
    • https://4f640d82-8365-4c22-93d6-dbd3427c3fb0.filesusr.com/ugd/55e8b7_1659bb89224a4445948acb9a4c9691c6.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/98013ba9-e4f7-4626-87c0-219fd49958e5/gipitawaselosowusofo.pdfIn PDF document text
    • https://05e27880-d5e1-4d3d-8428-ba943e9300bc.filesusr.com/ugd/b56239_a0a107edc2b9472abf6c61fe19df2122.pdf?index=trueIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.