Malicious PDF — malware analysis report

Static analysis result for SHA-256 3cf0bed1a477f2ed…

MALICIOUS

PDF

99.1 KB Created: 2021-03-29 02:26:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8852f130207890b16d51c689d80a396 SHA-1: ae8d5e62af7e79eea4413fef7bec87df3218d7a5 SHA-256: 3cf0bed1a477f2ed552b9bfb86ba7d780a01ecc005351ad94d9f51b69f30267c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one heuristic specifically identifying a 'PDF_SEO_LINK_FARM' suggesting a large number of outbound links intended to manipulate search engine results or direct users to malicious sites. The ML classifier and ClamAV both flagged the file as malicious, with ClamAV identifying it as 'Pdf.Phishing.Trojan'. The primary malicious URL identified is zajinet.ru, which is likely used to host or redirect to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9912

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/award?keyword=a+computational+approach+to+edge+detection+pdf
    • https://static.s123-cdn-static.com/uploads/4410016/normal_5fe530a32bd9c.pdf
    • https://visumosibe.weebly.com/uploads/1/3/0/8/130814065/mikuxikapew.pdf
    • https://ramokazadi.weebly.com/uploads/1/3/4/4/134470245/4dd5777.pdf
    • https://rodagekutav.weebly.com/uploads/1/3/5/3/135313742/9893539.pdf
    • https://cdn-cms.f-static.net/uploads/4481162/normal_603ed49779c01.pdf
    • http://muriwilosakud.iblogger.org/39401552193.pdf
    • https://cdn-cms.f-static.net/uploads/4389365/normal_601eaa7b54aaf.pdf
    • https://cdn-cms.f-static.net/uploads/4465263/normal_605010fe9df46.pdf
    • https://cdn-cms.f-static.net/uploads/4412895/normal_60462fb23c5b9.pdf
    • https://wimelavejitovuv.weebly.com/uploads/1/3/4/5/134597731/fejesarelolerevufek.pdf
    • https://gagegopered.weebly.com/uploads/1/3/4/8/134880179/wuvusa_lirelotixipomod.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/b8b7ac6c-743d-4d61-b352-d2014f3261df/what_is_h6_error_in_gree_ac.pdf
    • https://uploads.strikinglycdn.com/files/e0daaf67-0835-42c2-8be4-faab32d0ca92/97397578381.pdf
    • https://uploads.strikinglycdn.com/files/e6affd9e-6f4c-49f5-b457-e9d16ac3d9b0/20554492891.pdf
    • https://s3.amazonaws.com/tulosa/45610772509.pdf
    • https://s3.amazonaws.com/xomepixo/html_css_js_templates_free.pdf
    • https://s3.amazonaws.com/vatosolikijike/blotting_paper_face_sheets.pdf
    • https://uploads.strikinglycdn.com/files/08d35ce8-dc24-4af1-be0e-004c6ca4423f/76215220910.pdf
    • http://nizexududitew.epizy.com/xexalafaw.pdf
    • https://uploads.strikinglycdn.com/files/906e0934-0afb-4a8f-8fd7-c096b086cd43/how_to_write_a_simple_song_lyrics.pdf
    • https://uploads.strikinglycdn.com/files/1210abba-6a69-4b1d-9720-64ef0cf4f78f/mixupupefelarotiruzox.pdf
    • https://uploads.strikinglycdn.com/files/f4a91eb4-27b5-4e1b-9846-88f8f17fcbb9/gegodinubolazape.pdf
    • https://s3.amazonaws.com/pulujolatepuv/how_many_thermostats_does_a_2013_dodge_avenger_have.pdf
    • https://s3.amazonaws.com/davolazupivowi/ramugurolivukurudusober.pdf
    • http://terekeduwowe.rf.gd/panasonic_cf-53_specifications.pdf
    • https://uploads.strikinglycdn.com/files/d843d7e0-f090-4add-b22c-895f9675b397/729347191.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011dcc.bin
6140062f3e0d0da57b971f40ff1653a2c1d6aa6eb6564c7f4a0985d6e9c03f37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11DCC 5260 bytes
font_01_sfnt_off00012f7a.bin
66f4957c47f05af1bf410996b2d69a4c2219d6f3e0173410dfc55a4bd9acd54d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F7A 12284 bytes
font_02_sfnt_off000158fd.bin
16ec8717e79109bdf41b84b2d95e1e14a4025ba571ded87f7fafd23da5100dd2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x158FD 16116 bytes
font_03_sfnt_off00016ddf.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16DDF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.