Malicious PDF — malware analysis report

Static analysis result for SHA-256 155f79af2e97ad02…

MALICIOUS

PDF

75.3 KB Created: 2021-03-17 18:21:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: 636ec9653c31a2c2d930500fea2b689b SHA-1: 24f37fdcf7e88a3fa99eb7913b50ced3dd89eb74 SHA-256: 155f79af2e97ad02a4edbd2a056465664cb55bfb501fe736e87ae4621576bf7c
266 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file exhibits characteristics of a social engineering attack, specifically a 'ClickFix' variant, aiming to bypass security measures. It contains numerous external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to malicious content. The document explicitly instructs users to disable security software and execute commands, which is a strong indicator of malicious intent to download and execute a secondary payload. The ML classifier and ClamAV detection further support its classification as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=logitech+wave+keyboard+some+keys+not+working PDF link annotation
    • https://dixelopenam.weebly.com/uploads/1/3/4/5/134590152/aa36762630e5f8.pdfIn PDF document text
    • https://pogiwubuwafax.weebly.com/uploads/1/3/0/7/130775808/7456291.pdfIn PDF document text
    • http://vipadobotisituz.mygamesonline.org/nullclines_and_equilibrium_points_calculator.pdfIn PDF document text
    • https://zamovolipizutuj.weebly.com/uploads/1/3/1/0/131070940/woxexoj.pdfIn PDF document text
    • http://gisoboxizaza.mygamesonline.org/26386886779.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/f1af3ae4-9fce-4cad-a59b-232d2ad0170a/31155067396.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/35c8e0dd-629e-47b9-85a8-e221f64f55d0/86991394663.pdfIn PDF document text
    • http://noroved.myartsonline.com/how_to_board_a_ship_in_the_navy.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f4bdc9fc-b1b1-400e-9f9c-b6357b20c0cf/xusuxemilefutifevusala.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a08abd2c-57a5-4484-973b-0e7843da8af6/zemexiwurebu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f827b611-5e2f-4da3-ada2-02947625eaca/top_ten_biggest_river_in_the_world.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/981216a6-49f8-4608-977a-b94e87430bda/que_es_denuedo_en_la_biblia.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0cdd4627-3701-425d-874d-369e465bd8ac/how_much_does_a_graphic_designer_make.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f245cd4e-5e89-4220-847d-61bf5c6ddee6/motorola_talkabout_t460_manual_espaol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ef1ea6a-bab0-45bc-9023-06dff29b180d/el_conde_de_montecristo_sinopsis_del_libro.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e027f318-a2ac-497e-92ed-30fa1eedf543/singer_simple_sewing_machine_3232_instructions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c586b1ef-916c-4d14-9a96-c1638fc9bbb8/jagux.pdfIn PDF document text
    • http://nakixaxev.myartsonline.com/arobnjak_iz_oza.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b6fe8939-fc05-4d6a-952f-b892fe5097d4/how_to_clean_avent_3_in_1_sterilizer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6c302af3-7479-40a8-a4da-805d1aad319f/how_do_i_charge_mophie_powerstation_xl.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e7cd3b72-a311-4323-9ec3-a02a60dba14d/aviation_boatswains_mate_fuels_job_description.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e637.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE637 5720 bytes
SHA-256: e22ad99e4bb54eb1b11f05f5378adbd9f308dd235fb41b8193b5866c4d230c26
font_01_sfnt_off0000f9a8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF9A8 11416 bytes
SHA-256: 49141407ede3f62edf9621eb0543380afd26519b5353654a4ef6dc7cd3aa99a4

Open this report in the interactive analyzer, or submit your own file for analysis.