Malicious PDF — malware analysis report

Static analysis result for SHA-256 04284f3de8c0fa43…

MALICIOUS

PDF

88.6 KB Created: 2021-05-25 05:55:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 3ab9f65897275f2bc10554498fa37aab SHA-1: cf491b5223be7693b968b2f46c62a2c937bbc000 SHA-256: 04284f3de8c0fa436385fb7f2958a073d25cc125037720dd1318620de289540c
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to a single domain, suggesting a link farm or SEO abuse. One of the embedded URLs, https://pelibifir.ru/strik, is flagged as unknown reputation and is likely malicious. The heuristic 'PDF_SEO_LINK_FARM' and 'SE_PASSWORD_ARCHIVE_LURE' indicate the document's intent to trick users into visiting malicious sites or downloading further malware. ClamAV also detected this as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=what+applications+can+agarose+gel+electrophoresis+be+used+for PDF link annotation
    • https://sofupikibir.weebly.com/uploads/1/3/5/3/135302021/bavega-keliwifobofezi-vawoni-tizadezotibo.pdfIn PDF document text
    • https://nefolebar.weebly.com/uploads/1/3/4/4/134400051/ae5a1.pdfIn PDF document text
    • https://ponefapu.weebly.com/uploads/1/3/1/6/131637257/bed01af0a1ec.pdfIn PDF document text
    • https://kalogipewaga.weebly.com/uploads/1/3/4/5/134595512/fef5795329b.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/6c2b71ea-f008-48a3-89d0-3b4a865bb0f4/kesodep.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0195ec2b-2457-4c1d-8692-35023ea8ee7f/us_army_recruiting_center_las_vegas.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/80a28803-4e02-4250-b932-b9c3a4e8075a/singer_sewing_machine_model_4562_parts.pdfIn PDF document text
    • https://s3.amazonaws.com/salade/6_times_tables_printable_worksheets.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bc03a6e9-bfe1-4f86-bfcf-9b1ba57fe319/love_story_books_for_adults_tagalog.pdfIn PDF document text
    • https://s3.amazonaws.com/nitizobuv/intermatic_incorporated_light_timer_instructions.pdfIn PDF document text
    • https://s3.amazonaws.com/piwupevivotixi/glossaries_worksheets_for_year_1.pdfIn PDF document text
    • https://s3.amazonaws.com/perurulexi/linksys_e8350_default_password.pdfIn PDF document text
    • https://s3.amazonaws.com/lusabifef/94313501380.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5e9cb3f1-d4a6-4172-9e9e-0407ece314dd/jatubareboxa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/26c80f16-d112-42fa-8658-29172133bb51/19759424877.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eab7106d-2914-489f-ba51-29541b270805/wordly_wise_3000_book_7_lesson_7_quizlet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/404f36e0-21c8-4fe6-b897-9bdac072c046/how_to_hack_lorex_dvr_admin_password.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8dd4a299-c02a-4695-8c6f-35d31d075aff/live_candlestick_chart_indian_stocks.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/89c69678-4951-4cf1-978c-c10b4f182702/adobe_premiere_rush_cc_cost.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/64c5bd0a-9607-45e2-83f6-7e255d6317b2/oster_turbo_a5_2-speed_clipper.pdfIn PDF document text
    • https://s3.amazonaws.com/sakaburepagase/hp_officejet_pro_8620_printhead_cleaning_kit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cce60e03-c102-47e4-8fae-f9743b2671a5/2008_ford_escape_xlt_transmission_fluid.pdfIn PDF document text
    • https://s3.amazonaws.com/zufojadibi/fijonaf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b0ecf88f-2153-4f78-9a7e-523b18a1d499/larousse_gastronomique_book_price_in_india.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/461017ed-b8f2-4c1c-af5c-ff2e480ac9ae/65296092074.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6fe35e5c-60a3-40dc-a040-85a62e56e617/87475172698.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010b4c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10B4C 5452 bytes
SHA-256: 5b984a18a4db1868fff6aff2a53cd488cce9142bce16dd693281e43db8c4a9a9
font_01_sfnt_off00011dc2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11DC2 11724 bytes
SHA-256: e5b57eed46454f9507bd4f2ec2db5c17369627606e6280653e315bc64b902e6f
font_02_sfnt_off00014596.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14596 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c