Malicious PDF — malware analysis report

Static analysis result for SHA-256 453d069ed41fae6e…

MALICIOUS

PDF

80.0 KB Created: 2021-03-06 10:19:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: d70364463271dbd35e90d6c6aac9c9bd SHA-1: d7a66ae2421bafc03de760c69e28c7734899006c SHA-256: 453d069ed41fae6e463ba4f84c894b5420ac237d5d6e2676c459da3fb17ac21e
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier indicating maliciousness. It contains an embedded URI pointing to 'https://pelibifir.ru/award', which is likely a phishing or malware distribution site. The PDF structure and embedded links suggest it's part of a phishing campaign, potentially using a lure related to geography to trick users into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=map+of+the+world+continents+and+oceans PDF link annotation
    • https://cdn.sqhk.co/filodomazora/cic7gcR/spiritual_gifts_list.pdfIn PDF document text
    • http://menetufebev.22web.org/letter_from_santa_template_word.pdfIn PDF document text
    • https://cdn.sqhk.co/ramidazumiko/hchhwfi/spaceflex_rocket_company_mod_apk.pdfIn PDF document text
    • https://cdn.sqhk.co/mifimafonuku/2ojb7ic/tiny_kingdom_builder_game.pdfIn PDF document text
    • https://cdn.sqhk.co/ramidazumiko/ariihbw/91846177610.pdfIn PDF document text
    • https://cdn.sqhk.co/sevijeruba/oFUGhfD/40361727934.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/4d8e6d42-8070-4a0d-bb3c-0f7fe3576c8c/85505622214.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e44d0ea7-a69a-4af4-b9b0-4501e0261e63/baby_einstein_sea_dreams_soother_instructions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/03116c38-593f-475a-bd34-142f973b847d/gixabenesebufudij.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/afe74792-ba38-47d1-aec0-97506c40369a/vujoduwit.pdfIn PDF document text
    • https://s3.amazonaws.com/sesijesule/does_walmart_pharmacy_do_shingles_shots.pdfIn PDF document text
    • https://s3.amazonaws.com/jenisozazewubo/free_all_3_bureau_credit_report.pdfIn PDF document text
    • http://sidiwen.epizy.com/moluvaxazepowesig.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4106611e-1fcf-41e2-bae1-559f0b327601/how_to_connect_bluetooth_polaroid_speaker.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d748e722-e3e6-4500-9999-fe1b405c06bc/6077179831.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f18297b-7f95-49e7-ad26-4af8005fb259/72898104655.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3d060268-1809-4d76-a0b4-e659c987b628/47066244555.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e41c31a4-7fa6-4da6-97ad-d9c9ad6ecca1/wordpress_admin_login_url_database.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ab253d84-2386-44f5-a78a-915c54da6596/wix_embed_header_code.pdfIn PDF document text
    • https://s3.amazonaws.com/lulelepese/the_volume_on_my_directv_remote_wont_work.pdfIn PDF document text
    • https://s3.amazonaws.com/vuxirefare/how_to_fall_out_of_love_while_still_in_a_relationship.pdfIn PDF document text
    • https://s3.amazonaws.com/tigovatolis/bitcomet_not_ing.pdfIn PDF document text
    • http://fakomufe.epizy.com/human_anatomy_laboratory_manual_with_cat_dissections_8th_edition_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/165a8ef9-06ed-4174-91c9-a5fb9583db14/2013_dodge_grand_caravan_repair_manual_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0353b92f-7421-4257-a51c-12bb8eec3764/john_owen_mortification_of_sin_audio.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6c1b01ed-e768-4739-a607-e57165e54dcd/dumoxamagujove.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b46cf310-3257-4283-85df-d30753130921/86770487980.pdfIn PDF document text
    • http://kozolamo.rf.gd/how_to_use_cheat_engine_on_bluestacks_games.pdfIn PDF document text
    • http://gorefoverotiw.epizy.com/56268848770.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb9e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB9E 5340 bytes
SHA-256: bc54dd4274f580cfca824497955c605814449fb3a6c8777b8012263133ae0782
font_01_sfnt_off00010de5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DE5 10564 bytes
SHA-256: 494c07a8abc704a2283cd9183a4b477c8e0e00a94df43e988fbe9b234e2025de