Malicious PDF — malware analysis report

Static analysis result for SHA-256 022a6a80af393fd2…

MALICIOUS

PDF

96.6 KB Created: 2021-02-16 11:31:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: b757ee4edf473607afdb22dedd5bcf8d SHA-1: 254fd63c810cc28a9ab7ba84b3e14d9cf067c8d5 SHA-256: 022a6a80af393fd28779f800afc127c16584584886289a600ebacfe5a7d601ae
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a significant number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. One of these links, 'https://baarspo.ru/strik?utm_term=tc+electronics+flashback+x4+effects+pedal', is flagged as potentially malicious. While no scripts were directly extracted, the presence of numerous external links suggests an attempt to redirect users to malicious content or for SEO abuse. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=tc+electronics+flashback+x4+effects+pedal PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4466408/normal_5ffe6c96e2b6e.pdfIn PDF document text
    • https://zulevoto.weebly.com/uploads/1/3/2/6/132696122/2930644dff.pdfIn PDF document text
    • https://bupefozatige.weebly.com/uploads/1/3/4/3/134384552/6556782.pdfIn PDF document text
    • https://setibadumizokeg.weebly.com/uploads/1/3/4/8/134880372/vekusomedorot_xojud_minumew.pdfIn PDF document text
    • https://nuzaguwimera.weebly.com/uploads/1/3/4/4/134492670/2461922.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4446263/normal_6009263feab3d.pdfIn PDF document text
    • https://wedemewimobuxet.weebly.com/uploads/1/3/4/3/134309086/6115306.pdfIn PDF document text
    • https://xipidutaz.weebly.com/uploads/1/3/4/4/134401361/5314598.pdfIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/zepifudoxapo/png_to_cdr_converter_free.pdfIn PDF document text
    • https://s3.amazonaws.com/tinezedu/71433743241.pdfIn PDF document text
    • https://s3.amazonaws.com/juzinaramip/granny_mod_menu_v5.pdfIn PDF document text
    • https://s3.amazonaws.com/kisimujuk/content_calendar_spreadsheet.pdfIn PDF document text
    • https://s3.amazonaws.com/gezizefefififa/zufunipesarotavosakasusi.pdfIn PDF document text
    • https://s3.amazonaws.com/zobuwubedak/8022041358.pdfIn PDF document text
    • https://s3.amazonaws.com/rorives/dejesobezosedujiwojixef.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00010475.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x10475 14208 bytes
SHA-256: 3bb4d45a4ffd7e73c5893a559c1f842b036255e08430bbb118fe6ee765e233be
stream_005_off00015168.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15168 20080 bytes
SHA-256: c69d7dfb4091e475a430c086d34c8d903c5b07577bf3286def72b4d2ca416c2e
font_00_sfnt_off0000f1a3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF1A3 5552 bytes
SHA-256: 3ce64a65f2b80ba1a3332817a14f800b9604a8e471ae579067ec1058fc8f4626
font_02_sfnt_off00012c64.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12C64 11100 bytes
SHA-256: e23205a98ce1fc9824f64eec262e8eb6c68fc7f85c61ba8c88949b2262953a14