Malicious PDF — malware analysis report

Static analysis result for SHA-256 1675a8f35fbe3ddf…

MALICIOUS

PDF

77.0 KB Created: 2021-05-26 05:41:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13
MD5: ed983542eacad8d5e4b3898e32c4080d SHA-1: b940815e2632cc93e039c4de152a35ef67655267 SHA-256: 1675a8f35fbe3ddf3de62b24c6849ffb459e815be26e71ccc1e1e6f612d07d31
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains a mass of external links, with one pointing to zajinet.ru, suggesting a link farm used to obscure malicious URLs. The document's structure and the presence of numerous external links, despite being presented as a tutorial, strongly indicate a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=android+studio+tutorial+pdf+for+beginners+2019 PDF link annotation
    • https://temetufel.weebly.com/uploads/1/3/1/8/131856903/8db46dd51f9.pdfIn PDF document text
    • https://wirafoxojobukof.weebly.com/uploads/1/3/4/6/134608935/8013218.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/96647cb6-f036-48ba-9d9a-330aca0bef67/what_type_of_oil_does_a_predator_6500_generator_use.pdfIn PDF document text
    • https://s3.amazonaws.com/fomudebipefasu/fingerprint_app_lock_apkpure.pdfIn PDF document text
    • https://s3.amazonaws.com/kufazete/86104386582.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0dd57f8b-eff8-4ffb-aa97-5f692a3eb944/guvolizifabitulokof.pdfIn PDF document text
    • https://s3.amazonaws.com/votawawo/adenite_bacteriana_pediatria.pdfIn PDF document text
    • https://s3.amazonaws.com/tesodagiwor/ubuntu_bionic_desktop.pdfIn PDF document text
    • https://s3.amazonaws.com/tufitijinexu/detox_diet_plan_weight_loss.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9e625501-e844-487c-ac7b-d82dec844fce/relative_pronoun_quiz_4th_grade.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cb5dfd93-9df7-49da-927b-abc6a2b47c49/engineering_drawing_and_design_7th_edition_free_download.pdfIn PDF document text
    • https://s3.amazonaws.com/vavabi/buzipozoxomajexamaguruzu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7304e689-ef98-4e5d-a7d3-6ec9c6bdf6ac/why_is_the_maserati_granturismo_so_cheap.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/add273cd-674d-482f-9a4d-eb3aa1ed7614/60549432577.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/77988029-fafb-4741-9b0c-8721aa3ef263/dr._faustus_short_summary.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6fb01555-978e-429e-a91b-ce710fa19361/degiwuzidadogarenewaku.pdfIn PDF document text
    • https://s3.amazonaws.com/zulezov/15087736565.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f9b2f216-fa43-4ead-b1b5-84e727b400e2/subway_menu_price_philippines.pdfIn PDF document text
    • https://s3.amazonaws.com/mavixu/how_many_dish_subscribers_are_there.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/72fb674b-ae3f-4cae-9a66-2358316b0a86/putafisuxawonufedunox.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec69.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEC69 5820 bytes
SHA-256: e940816d7ec08ddc69842491c90a554d228e63a8f12e6d96b3bdfca664de5ff8
font_01_sfnt_off00010044.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10044 10656 bytes
SHA-256: ac6084480566451dbb4f59a386a555db6a11a689605036d17b94a4318bb0f267

Open this report in the interactive analyzer, or submit your own file for analysis.