Malicious PDF — malware analysis report

Static analysis result for SHA-256 08a4a3c7a2fa5674…

MALICIOUS

PDF

74.2 KB Created: 2021-04-10 12:42:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 1ef9a9ab66ef6e4b9d43c7f982a27851 SHA-1: 91e3b11d131836eb1f73025bf21f1d113aa21886 SHA-256: 08a4a3c7a2fa56743ba411dbf31f51d58892c1c1c24517f5fdc3fb57b1605df9
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF document was flagged by ML classifiers and ClamAV as malicious, exhibiting characteristics of a ClickFix social engineering attack. The document body, though heavily obfuscated, suggests a lure related to 'Microsoft outlook 365 user guide'. The presence of numerous external URIs, many hosted on disposable domains, indicates a phishing or credential harvesting attempt. The document likely exploits a PDF vulnerability to execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=microsoft+outlook+365+user+guide PDF link annotation
    • https://cdn.sqhk.co/lomekojop/iv7jatV/applock_fingerprint_pro_crack.pdfIn PDF document text
    • https://cdn.sqhk.co/xasakeza/jc1eKS4/best_survival_rifle_22lr.pdfIn PDF document text
    • http://walkover.me/how_to_become_an_international_business_managerpqmvt.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408853/normal_60214f72589e3.pdfIn PDF document text
    • https://vamotavobepud.weebly.com/uploads/1/3/1/4/131438348/5139272.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4493227/normal_604a3be99a9a2.pdfIn PDF document text
    • https://peruvapi.weebly.com/uploads/1/3/0/8/130813059/494776.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4464302/normal_5ffae6347dd3b.pdfIn PDF document text
    • https://cdn.sqhk.co/kasuwajavi/hhgidjf/mechanics_bank_hours_saturday.pdfIn PDF document text
    • http://leon-stavki.info/u_verse_silver_remote_programmingrf8c9.pdfIn PDF document text
    • https://cdn.sqhk.co/lulaxujik/YWmMjMt/steel_ball_yba_item.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448976/normal_601ef08e94cd3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4368504/normal_5fcc50ff2e057.pdfIn PDF document text
    • https://xizulorojude.weebly.com/uploads/1/3/5/3/135391297/tujigoxeluniresevi.pdfIn PDF document text
    • https://mebagotu.weebly.com/uploads/1/3/4/4/134444887/juvovidaguruk.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374835/normal_604b2bd8d39d5.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d5a3a1ba-6498-4b19-9a65-bebf9efa39e2/etc_smartfade_ml.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4254a233-f4b4-465e-bc1e-8b7a35500297/55676505292.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/34b66490-7ed0-4893-8039-42a4cd293683/define_law_by_different_scholars.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c14faef3-09ac-4337-a23f-f447565cc89f/saputowom.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e575.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE575 5488 bytes
SHA-256: aec29214b9c01cae8e463241c75f3cbe3ae2085d0292eacf08e5792b30609d03
font_01_sfnt_off0000f83f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF83F 10396 bytes
SHA-256: 0ece0eb71f67846ac03c8667a40a0353c8a2f6c2c760ef76b5cf0c9c382b723d