Malicious PDF — malware analysis report

Static analysis result for SHA-256 45a9686443c38281…

MALICIOUS

PDF

81.7 KB Created: 2021-06-04 23:17:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: f4a6d64de24d6cb1ea7a5bddc94e6182 SHA-1: c8ba949dff26bccbb0476129af6002735a71fc65 SHA-256: 45a9686443c382816c1ab3dc4b796cb407e70774c039feab75f8dc136fd5c933
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing lure, employing a link farm and SEO redirector to disguise its malicious intent. The primary URL, 'https://ketchas.ru/pbw?utm_term=20+amino+acids+structures+and+names+pdf', suggests a deceptive attempt to trick users into downloading further content. The ML classifier and ClamAV detection strongly indicate malicious activity, likely related to malware distribution or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/pbw?utm_term=20+amino+acids+structures+and+names+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4380073/normal_5fd3095a5ce12.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4457847/normal_601fa64cbef7b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4480891/normal_604ca5992a9cb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4447251/normal_6053e1b648670.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414495/normal_6068e1fb3f3f4.pdfIn PDF document text
    • https://kekoweditolig.weebly.com/uploads/1/3/2/6/132683085/newizafaziv.pdfIn PDF document text
    • https://nijifepobolo.weebly.com/uploads/1/3/5/3/135316947/nalazekawidaw.pdfIn PDF document text
    • https://ruzutemeba.weebly.com/uploads/1/3/2/6/132681300/vatorojajegafo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4422163/normal_606a5e7763ce0.pdfIn PDF document text
    • https://xuremesedadewo.weebly.com/uploads/1/3/4/5/134500919/xowagoruzi.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408464/normal_60281b7285bbf.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4410459/normal_5fc5816e82224.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/02d42ac6-7c62-482a-bff8-0cb29655c0d9/what_is_the_main_idea_of_in_flanders_fields.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e7a0d20a-94f5-4499-ac88-511db74b7921/how_long_does_it_take_to_bake_costco_macaroni_and_cheese.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2815b0ed-3375-42e4-8d74-e6932056d8a6/28300484354.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b4752d9-d431-4471-aff2-c56c6778b78c/trigonometric_identities_problems_for_class_11.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e86f4e5d-224f-4f4a-870a-2b5ef34e3488/28521500438.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8669c913-79f1-4568-8222-6a736e0d692b/kenmore_he2_washer_instructions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/268281a9-6fbc-439b-9fa4-5aad7a345942/57245916738.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d019092b-fd15-43a7-a9c9-f7f45d8f2f37/folic_acid_drug_nursing_considerations.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c1f5f072-3e31-4e74-815a-23ec3ad11822/how_to_read_ao_smith_serial_number.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f164231a-0f05-4faf-b200-5eb93c293a5d/kafamijafevawifisu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ffc1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFFC1 5448 bytes
SHA-256: 1619752f0447eb2e478983507e0a80abe857958293c4331f9ae9f083af7bcd57
font_01_sfnt_off0001122f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1122F 10916 bytes
SHA-256: 8467c6e8a904574ac173056c877be82fbad216b6ef6f8a2ab1abc02eac745005