Malicious PDF — malware analysis report

Static analysis result for SHA-256 41cac699e8910c26…

MALICIOUS

PDF

115.2 KB Created: 2021-05-24 12:05:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-20
MD5: 03723077ca24e3d4139f9d2ee8b317f5 SHA-1: 9351db540ca286013a3570e9d33a44c9edd9d8a9 SHA-256: 41cac699e8910c266e7cae8206ab6ca69e59f465e4bd38bd35517e403964c6d1
246 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF contains a significant number of external links, many pointing to disposable hosting, and is flagged as a link farm. A critical heuristic identifies it as a brand-impersonation credential phishing lure, specifically mentioning 'Target' and an abused redirector URL. The ML classifier also strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://getaforufuzok.weebly.com/uploads/1/3/4/7/134733873/9e803c.pdf.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wb?keyword=reif%20principles%20of%20statistical%20and%20thermal%20physics PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4420476/normal_600ddf19c0837.pdfIn PDF document text
    • https://getaforufuzok.weebly.com/uploads/1/3/4/7/134733873/9e803c.pdfIn PDF document text
    • https://kemewekodu.weebly.com/uploads/1/3/1/8/131857474/kowapaleb_tovum.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4465151/normal_5fc9c07783f66.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4423428/normal_5ff2e5ae7c59f.pdfIn PDF document text
    • https://vekerarefatada.weebly.com/uploads/1/3/4/8/134868636/d83464.pdfIn PDF document text
    • https://logavamu.weebly.com/uploads/1/3/4/7/134746434/2053179.pdfIn PDF document text
    • https://nepopuzabigeju.weebly.com/uploads/1/3/4/8/134856357/dasuzapog.pdfIn PDF document text
    • https://kukonite.weebly.com/uploads/1/3/4/6/134611202/b6314417f9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4419650/normal_6024a564c3686.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/tarajix/hp_eprint_class_driver.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5e1dcd11-630e-42b0-82f4-d76187c16ce2/muxulakiroturutivu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc9efc51-a7c1-4404-877d-21702f27c644/epson_wf-2540_printer_says_out_of_paper_but_it_isnt.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9d6e0253-e00d-4a5d-a14c-3322f7ed2554/dojuvo.pdfIn PDF document text
    • https://s3.amazonaws.com/juzinaramip/20370986950.pdfIn PDF document text
    • https://s3.amazonaws.com/pibabopuduj/breaking_free_beth_moore_workbook.pdfIn PDF document text
    • https://s3.amazonaws.com/bokexizometun/taylor_kitchen_scale_calibration.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2659e08-155b-41d6-9d62-e22736cfc51b/jugiwibamame.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/50d61868-833a-4e2a-8bf3-f03e4a05d9a7/ms_project_2007_free_download_with_crack_64_bit.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016b41.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16B41 5504 bytes
SHA-256: ff76fa35b127c53c1278fdf5bce421a866e98e5b207096fde2cbb7f1daa40a90
font_01_sfnt_off00017de0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17DE0 13684 bytes
SHA-256: 9b023297bd46afda2aa55abb3f332869c35bec4a113ebdd9cd6aab1cf64d7dd6
font_02_sfnt_off0001aa4b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1AA4B 16060 bytes
SHA-256: a428e84a47d03438fd5ed8c13af51c073340c28df02463183879d2df9ebd4b49