Malicious PDF — malware analysis report

Static analysis result for SHA-256 3477ca1c37d3fed1…

MALICIOUS

PDF

84.8 KB Created: 2021-03-27 11:15:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: dd03ddddb4e98a532ae4411825417973 SHA-1: 299e70dfabe658a3ec7844e0c3b05c6e5c55025f SHA-256: 3477ca1c37d3fed1b1aa129fe0f1f022c499c326190f9bc0be0a3b7d071096dc
146 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF document contains heuristics indicating it is a callback phishing lure, prompting users to call a number in a billing or security context. The presence of external URIs and a ClamAV detection for 'Pdf.Phishing.Trojan' strongly suggests malicious intent. The document body, though heavily obfuscated, contains references to 'Regions bank' and a URL that appears to be part of a redirection chain, further supporting a phishing or scam attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=regions+bank+open+on+sunday+near+me PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4481831/normal_6006033b5ed4f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4450141/normal_5fe00aeb9e1b9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4458428/normal_601e547eaba83.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367279/normal_6049b870d5d98.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372376/normal_6046b3889268d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4459326/normal_60464aeea989e.pdfIn PDF document text
    • http://purigoguwoz.22web.org/thin_aluminium_sheet_bunnings.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4471238/normal_5fdb0ce6cc650.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4483873/normal_6040fca0d7c8c.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/21b17a94-d6eb-445b-a394-76e29709ebef/50331519849.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a839398a-f868-462a-9dbe-8126ab2e0c44/sebenigu.pdfIn PDF document text
    • http://pivirujifija.epizy.com/solving_absolute_value_equations_worksheet_1-_4.pdfIn PDF document text
    • https://a909b8fe-7c6e-4467-a5b6-92e64a2a5b5d.filesusr.com/ugd/65efca_b860f7fcd3504adcb2c3538f2d5b466b.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/11f7fff5-72ef-4379-8b89-a4d099f8c12b/25663639235.pdfIn PDF document text
    • https://a24bc4ef-4ee2-4fae-af0c-c9fea810b245.filesusr.com/ugd/67d96c_4158ffe065e24bb085ad3137a6228cef.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/13cff752-4305-4020-b96e-98a89fd4f3f2/your_first_year_in_network_marketing_audiobook.pdfIn PDF document text
    • https://s3.amazonaws.com/kozibowisenatu/how_to_calm_anxiety_during_public_speaking.pdfIn PDF document text
    • https://s3.amazonaws.com/vojapu/zemusedorozofikejik.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/73d0c185-ffc3-41c3-a2ee-124880d45f90/zifaditojojasugetezi.pdfIn PDF document text
    • https://f499a9ea-5579-4d3c-a180-ba191067f9b7.filesusr.com/ugd/34ec99_24ba36f14da143928524cd06c8094b29.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010d2a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D2A 5560 bytes
SHA-256: 484682e0620b5bc79acd55f9d28644b05109a780698a5ce79f8231c0cc8864a2
font_01_sfnt_off0001200d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1200D 11108 bytes
SHA-256: 24269bfacdb9ae322f29d638467dbedd312cd599785f2bbfd0905a36961e1384