Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3f6cafc60629be9…

MALICIOUS

PDF

63.5 KB Created: 2021-03-11 14:33:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: 88fb28942bfd983c0a617915e8b0ee45 SHA-1: 36771aed8cec2a9777b2e21167d1a186189b07ef SHA-256: f3f6cafc60629be9abb0f38ed24c3529caa62a471ac59315469ebf4c0115b771
184 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm with numerous external URLs, many pointing to disposable domains, suggesting a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly indicate maliciousness. Although no scripts were extracted, the PDF structure and embedded links are indicative of a malicious document designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8535

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/strik?utm_term=alaska+driver%2527s+manual+flashcards PDF link annotation
    • http://svoytrylend.xyz/83387751166cme9.pdfIn PDF document text
    • http://verenica.net/793094596689izqm.pdfIn PDF document text
    • http://arenda-comp.space/40597377302xjrbk.pdfIn PDF document text
    • http://namelesssouth.xyz/canales_de_distribucion_unamymhdp.pdfIn PDF document text
    • http://visionnew.xyz/63439117162cegkg.pdfIn PDF document text
    • http://itali-big.space/lepitezojirexuyqf2d.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad78acac-5c4b-4245-a275-417bd77e6f1d/tarot_for_dummies_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e98d4424-26ce-4b48-8f5c-c2555d5b0915/kedawat.pdfIn PDF document text
    • https://s3.amazonaws.com/lupuvogotog/sagorifupifikazen.pdfIn PDF document text
    • https://945b3f91-9c76-4178-be32-f0dab3cfe2c6.filesusr.com/ugd/8d5d69_eff134a0776c4a8090f889b746822a54.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/c0e735e8-2130-41ee-bbc7-7e48be7d0409/why_is_my_ego_battery_flashing_yellow.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/22d75091-8abf-495a-ba6c-9b8f26132b8c/2414515949.pdfIn PDF document text
    • https://s3.amazonaws.com/paxunu/zutigikixezanoj.pdfIn PDF document text
    • https://4cf2acc4-d143-4013-a78d-f21de0873c4f.filesusr.com/ugd/e4636f_dbc544ca1f3e4f4ba1935dcbb68cfc62.pdf?index=trueIn PDF document text
    • https://200c4c3d-185b-4246-b99f-f40cd7065c99.filesusr.com/ugd/3ed902_c2f871b4229c4cf1af3b9f2517b49e8a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/88a6bc5b-89fc-4e32-a0e9-79878c0c02ed/70335330217.pdfIn PDF document text
    • https://s3.amazonaws.com/peveziwoguxuzam/vibez.pdfIn PDF document text
    • https://4bf641bf-117a-4913-931f-55e49063997f.filesusr.com/ugd/5befcb_f0a77630eaa84e508b299e19d4ed65ca.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/6cf8a74b-072d-42a1-b513-168be31986de/best_math_books_for_preschoolers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3f76123f-6de0-425a-a138-4d1d1754aa95/how_to_connect_yogg_smart_wristband.pdfIn PDF document text
    • https://s3.amazonaws.com/rurosaveruk/12915504067.pdfIn PDF document text
    • https://ba3a7bb5-edd2-4228-b29c-cf272df6a868.filesusr.com/ugd/bd1c09_2234af8f42da46fd85f58d262cb420ac.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/4f707852-a84b-423b-8953-f989aac13b7b/88656299949.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d759.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD759 5408 bytes
SHA-256: 5280c0daf1aee099eb0c8ae9cff47ff964cf126f9a43b5b10b5e216b3893d1c7

Open this report in the interactive analyzer, or submit your own file for analysis.