Malicious PDF — malware analysis report

Static analysis result for SHA-256 34ce68c22c20cb02…

MALICIOUS

PDF

81.5 KB Created: 2021-04-23 09:14:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 439ea8e037f9f3e4782132cffb3f3c00 SHA-1: 21211dbdad2707274d2479d700fcbb9ccfe6849e SHA-256: 34ce68c22c20cb02ff48916987dc232d7e0cfb16b5cf9e464953515425ae4ddb
236 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains heuristics indicating it is a phishing document and attempts a 'ClickFix' social engineering attack, instructing the user to run a command. The embedded URLs, such as 'https://xezojetit.ru/strik?utm_term=cmd+commands+internet+not+working', suggest a malicious intent to redirect the user to a potentially harmful site. The presence of multiple external PDF links also points towards a link farm or redirection tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=cmd+commands+internet+not+working
    • http://kakafeg.scienceontheweb.net/importance_of_reading_skills_in_communication.pdf
    • https://static.s123-cdn-static.com/uploads/4376354/normal_6004989150ff2.pdf
    • https://cdn-cms.f-static.net/uploads/4450419/normal_606365deb9593.pdf
    • https://cdn-cms.f-static.net/uploads/4483354/normal_60445ead4f8ff.pdf
    • https://static.s123-cdn-static.com/uploads/4488570/normal_5fcb73f9d8b65.pdf
    • https://cdn-cms.f-static.net/uploads/4388818/normal_604d0a0f71384.pdf
    • https://static.s123-cdn-static.com/uploads/4495838/normal_5ffbbdb19e8df.pdf
    • https://cdn-cms.f-static.net/uploads/4477369/normal_6055683a41177.pdf
    • https://cdn-cms.f-static.net/uploads/4481053/normal_5fd5f251304e4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4b6da9f0-cab2-4578-b3c3-07abae18a87f/game_of_life_conway_gif.pdf
    • https://uploads.strikinglycdn.com/files/006e8375-f6f4-409c-8334-d94d588c8065/durexupili.pdf
    • https://uploads.strikinglycdn.com/files/ce3e01eb-131d-488c-9c7a-12c7433e92d5/16570239035.pdf
    • https://uploads.strikinglycdn.com/files/637fa76d-97bb-421d-87d0-5200f1222d40/givakebupuda.pdf
    • http://letutemoxeluz.onlinewebshop.net/vegobufixenetugigire.pdf
    • https://uploads.strikinglycdn.com/files/b863c2e4-ab4a-4b36-a589-83d3109b3faa/7165179054.pdf
    • https://6376acfe-5884-4251-b3d5-19a03c044549.filesusr.com/ugd/de3d83_9ac86e9ef9964cbea563ee1336353482.pdf?index=true
    • http://zivexotafoni.myartsonline.com/78433978403.pdf
    • https://901c4554-6fda-40bf-8344-1f1538f5dc06.filesusr.com/ugd/a76634_eea337e9a57e40cf8c03a8ec35f26e7d.pdf?index=true
    • https://fa90eb46-aa9b-4fd1-a2e8-e903ec8e50a4.filesusr.com/ugd/575fb0_35afe95cdc3e44d8a2068cc86af0c3b3.pdf?index=true
    • https://eac5c218-d238-408c-98a6-8ff0ecbb25fc.filesusr.com/ugd/b1277d_499a8eaee7674770af30710778113c6a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3d8ecff2-7ed7-43cd-8c3f-9364d7d7851e/49346988520.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8d0.bin
f397df1e7d92d3853f1a5494862a1376b9774bc08cd3476b1e625e6fa2520bb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8D0 5288 bytes
font_01_sfnt_off00010abd.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10ABD 1800 bytes
font_02_sfnt_off0001134a.bin
d33e80aef15266a8c626748982df8bbace9006c2c3f34e383adf7c47eef8e2f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1134A 10760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.