Malicious PDF — malware analysis report

Static analysis result for SHA-256 223ba8c575d681f6…

MALICIOUS

PDF

103.0 KB Created: 2021-05-19 12:17:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: b45b4602a85344c4dcfb33b7e0788876 SHA-1: b0aefbd1f461a04b952278a83cf73d05a085ac37 SHA-256: 223ba8c575d681f652be0298ffb50fad05fcd3d9a1b0981bff17159ba972e159
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a technique often used in phishing or SEO spam campaigns. One prominent URL, 'https://zajinet.ru/strik?utm_term=destiny+2+solo+strike+pc+2020', suggests a lure related to the game Destiny 2. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or distributing further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=destiny+2+solo+strike+pc+2020 PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4401517/normal_6066303d98e1e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4465252/normal_604422cfac764.pdfIn PDF document text
    • https://gamekesilib.weebly.com/uploads/1/3/4/8/134892139/pevilop-nebarasewotud-baxodosozat-ditojebasobamu.pdfIn PDF document text
    • https://jumuvive.weebly.com/uploads/1/3/0/7/130776409/783729.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448985/normal_6040598102be3.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/32cca4fd-2298-4e4b-a7e9-f005b7c0d0a8/are_boy_scout_popcorn_tins_recyclable.pdfIn PDF document text
    • https://s3.amazonaws.com/xujitezu/tabla_periodica_con_elementos_reales.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f1a94f82-c958-407b-99f0-c65dd54dab2f/93817837562.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/38ea0d28-5980-41e1-bbbd-7a00373e6d15/how_to_cite_internet_sources_in_apa_without_author.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c27452e5-3fa4-4096-a2df-50306f71719c/gomas.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f23928af-68da-4858-8fe9-ce2d5c0b79df/jutonasodokug.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7334efaa-ba17-4ce9-9ed4-45ad6b260cd2/nanatsu_no_taizai_movie_tenkuu_no_torawarebito_sub_indo_streaming.pdfIn PDF document text
    • https://s3.amazonaws.com/gifojuxaxeva/old_school_runescape_bonds_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bba1a642-8965-465e-9a28-7d41053cb6cb/83315321221.pdfIn PDF document text
    • https://s3.amazonaws.com/wemazun/why_is_my_router_connected_but_no_internet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7bf1c8e9-5fa5-4b77-9018-09752897ffee/hunter_wifi_irrigation_controller_reviews.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d6695ea2-1571-4a6d-bd41-3027069e9969/xowularetubo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/74649272-2b4c-4922-a850-f58d69fa9115/tinejamujapavuwojab.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0bdb568-0571-4b46-aa11-8159c05ac72c/78195641269.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3f336bd9-b8e6-4dea-83e0-1eae1d7cc7a5/68106008074.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/32e08ae4-7156-42e4-b4f3-a8887457f652/kalibalaxa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cce0f2c8-cf2e-4237-b069-78cbf8187bc1/54555612862.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/57b91fca-5d49-4b23-9a04-b594b6efe5fc/vampire_diaries_cast_names.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000142fb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x142FB 5344 bytes
SHA-256: 70d34a60f406cfc8749394e9ef242187b4109198cecad16993060e25f6f1eefb
font_01_sfnt_off0001557c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1557C 5156 bytes
SHA-256: ad2d80f446d7bffea84489bfcdce23128e2e7c5067e154d63827b552b6e1599f
font_02_sfnt_off0001672c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1672C 11876 bytes
SHA-256: c5cb40924d155905a78140ee873248e7fa33b54ad212a2df6cc36ac0ba06a85e