Malicious PDF — malware analysis report

Static analysis result for SHA-256 29c6230db1378278…

MALICIOUS

PDF

79.0 KB Created: 2021-06-11 11:05:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: 393b7c7cc98c2e9ebd77e4b5c6f74d5b SHA-1: 2f0672178d05edc1732f30e2053559ecaf657588 SHA-256: 29c6230db1378278e219e6e354fe2112144ed78f564303071aff41d6e21572e5
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a phishing attempt. It impersonates Instagram to lure users into clicking a link that redirects to a malicious URL, likely to steal credentials. The PDF also contains a large number of external links, suggesting a link farm or SEO manipulation tactic to distribute the phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://zegijavevezedoj.weebly.com/uploads/1/3/4/3/134309525/379442.pdf.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://medvor.ru/pbw?utm_term=samsung+on7+google+bypass+apk PDF link annotation
    • https://zegijavevezedoj.weebly.com/uploads/1/3/4/3/134309525/379442.pdfIn PDF document text
    • https://sodujamewo.weebly.com/uploads/1/3/4/7/134750465/6721282.pdfIn PDF document text
    • https://bebiluredop.weebly.com/uploads/1/3/3/9/133987060/2582525.pdfIn PDF document text
    • https://penusifobituje.weebly.com/uploads/1/3/4/3/134314418/b94dc967a79.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4383136/normal_6006841d11e4c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4479213/normal_601b4ac6e4e10.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448556/normal_604b00a2c1513.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385021/normal_60be46d65682a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4488349/normal_604bba8e1a8c3.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/7a325e4f-dd61-456a-8b96-2fa503ec5847/how_long_does_it_take_to_charge_my_magic_mouse_2.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2d31e66b-2d03-46be-8e70-dab5aa4f1efa/xulabika.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f56364b8-bb85-4355-9c54-b66ecff9c365/35470116958.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/51effc92-8a78-4859-86b9-d2a7864f6c22/english_conversation_17_anh_ngu_vips.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/da02024d-c628-4317-b29c-3915435ff14e/1473684728.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/93117448-975c-4fba-86c0-14247064b783/62727659325.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7a9249ac-c370-4bfe-bc3c-be6a3bec33e4/86090072117.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d87f1944-11ad-4f13-876a-5851432709b0/pickup_impression_to_add_teeth_to_partial.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/65d1a7d6-3975-406f-a9ea-5aa36421b435/vomutu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b4a65ae5-db90-441a-8884-393e3e67d4bc/12_verb_tenses_in_english.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cd4890b5-e2da-4abb-8e6e-9da3fd9762dd/eaton_approved_transmission_fluid.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f650.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF650 5532 bytes
SHA-256: e5e60e13006d72da73f33c697b88b3abf50581cb231e1605b983e69f66832f8c
font_01_sfnt_off00010922.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10922 11108 bytes
SHA-256: 97f9f0f61c60ce998980478b8011963f767af55f66cc6a12de4ca1dd61a59211