Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a3c2a98ba58680d…

MALICIOUS

PDF

84.2 KB Created: 2021-04-20 07:27:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 99e0e2e632b3e4575e46a49fca7314b8 SHA-1: d9261675db5269d0b4b1d2954693216e5573915f SHA-256: 2a3c2a98ba58680db18779328bed73fab7bcd55d36168b1f63277080763e694c
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many hosted on disposable domains, suggesting a link farm or redirection scheme. The primary URL, 'https://lozipotod.ru/strik?utm_term=how+to+prepare+for+christ%2527s+return', is likely part of a phishing or scam campaign. Although no scripts were explicitly extracted, the PDF structure and heuristic firings indicate malicious intent, possibly involving embedded JavaScript for redirection or exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/strik?utm_term=how+to+prepare+for+christ%2527s+return PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4376126/normal_6062b57c705fb.pdfIn PDF document text
    • https://tobadagagu.weebly.com/uploads/1/3/4/7/134750152/48c16db78e6e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4458618/normal_6037c635a2f41.pdfIn PDF document text
    • https://rebodegumirimak.weebly.com/uploads/1/3/0/7/130775130/1714071.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4367667/normal_5fee25d4a07cb.pdfIn PDF document text
    • https://tosoremekik.weebly.com/uploads/1/3/4/7/134771766/debe8822c375f.pdfIn PDF document text
    • https://reravonox.weebly.com/uploads/1/3/1/8/131856904/mireramine.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/f7f6f03c-734f-478b-9ab1-e8018f471e53/86248812198.pdfIn PDF document text
    • https://s3.amazonaws.com/retobifulipo/music_artist_biography_template.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa5c1c43-18dc-4f2d-9b0c-e03ffb66ecfe/nagimaw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/10b62dc0-d214-431e-892f-a55af3712d8a/21201034730.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/631b6078-df3c-4b70-bc53-5a6e5b7f91de/how_to_fill_bobbin_on_old_singer_sewing_machine.pdfIn PDF document text
    • https://s3.amazonaws.com/rorives/loctite_577_datasheet.pdfIn PDF document text
    • https://s3.amazonaws.com/jakujakula/59094086427.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aff804fe-c7e6-4a50-a3a2-dd8db7d0cf26/centaur_gaming_keyboard.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/949cd1fb-cba8-4113-a1e5-71fcf8cccc97/gejijololos.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/478c7b83-de19-479e-834d-f6e78574023f/sagafonutixiwelafitab.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8be945b8-7f02-4ca4-9328-3fe426e1b99b/murray_42_riding_lawn_mower_owners_manual.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010c48.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10C48 5156 bytes
SHA-256: 6933ec1483345cf45952f4b7cd31198cc3990df81e62c4ca2bed3bf9bdcd0cf3
font_01_sfnt_off00011dec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11DEC 11016 bytes
SHA-256: 151b8525847ef8167b9defb0cc5db230fe0ccf1b43b2ea5b449c4ce8d4bff342