Malicious PDF — malware analysis report

Static analysis result for SHA-256 22332af9be133669…

MALICIOUS

PDF

117.6 KB Created: 2021-03-19 21:22:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f3b47aae41542b2cba669da28df79f45 SHA-1: 7dfa9392330742c8683c8b703ec7c21ffbf16226 SHA-256: 22332af9be1336690d5188230958f257dbd059f7b4fa4bf86860be353c68283d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one pointing to 'zajinet.ru', suggesting a link farm or phishing attempt. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan. The presence of embedded URLs and the structure of the PDF indicate it's designed to redirect users to potentially harmful sites, likely for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=pathfinder+kingmaker+phylactery+of+positive+channeling+location
    • http://oficialshoes.site/gutadatosuko6lgj.pdf
    • https://cdn.sqhk.co/juzexokogim/jeJjgji/space_trader_book.pdf
    • http://tb-films.ru/vozamutazazadejircvuw.pdf
    • http://myfavoritesun.xyz/download_film_rudy_habibie_full_movie510dj.pdf
    • https://rijozixofufake.weebly.com/uploads/1/3/4/5/134509282/wumezabakak.pdf
    • http://idealica-ufficiale.site/tribal_music_download_freescy4r.pdf
    • http://gnfcns.info/what_are_the_traditional_tools_of_monetary_policy5n6sv.pdf
    • https://cdn.sqhk.co/zubavagi/hZhaXhd/91817600282.pdf
    • https://cdn.sqhk.co/bikegola/diehcji/2679825877.pdf
    • https://mudituzeko.weebly.com/uploads/1/3/0/9/130969310/2503758.pdf
    • https://cdn.sqhk.co/delojiwuguj/iihakyX/zozelelefipupomevo.pdf
    • http://hs-life.ru/thank_you_email_after_meeting_templateqbqtw.pdf
    • http://priz24.site/addition_and_subtraction_of_polynomials_worksheets5b76z.pdf
    • https://zatiwakap.weebly.com/uploads/1/3/1/8/131871625/vejokamutusodekowugo.pdf
    • https://cdn.sqhk.co/tenotitur/gcgiidQ/sunglasses_drop_tiktok_song.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/15b7bec1-73ad-4f66-9a1b-066afdd8c63e/fujibulip.pdf
    • https://uploads.strikinglycdn.com/files/abd62e0c-171e-499a-b259-c40c1047c27c/how_came_the_bible_goodspeed.pdf
    • https://uploads.strikinglycdn.com/files/5c641b9d-6889-4895-afcd-a1dcbc461261/does_h2o_have_a_dipole_moment.pdf
    • https://uploads.strikinglycdn.com/files/dfb11d03-71ef-4c1e-82d4-c1a656229fd7/jujevuzoragobel.pdf
    • https://uploads.strikinglycdn.com/files/ada1d077-8c2e-42d1-9c21-882a48576696/ford_e350_diesel_cargo_van_for_sale.pdf
    • https://uploads.strikinglycdn.com/files/96597704-8d92-4074-b7f9-e01cc0a6eeca/1731518932.pdf
    • https://uploads.strikinglycdn.com/files/5f947c27-af70-4b80-9c09-27b492509871/butebeto.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00018b85.bin
e5ddd1cef346dbd8e3781c1b9c91a8360187f264be923568aafa4f69c3b49c74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18B85 5796 bytes
font_01_sfnt_off00019f26.bin
fef3951533024dab7f1ddb769892b18389f43e1f341355aabd242a3b6a8e87c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19F26 11964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.