Malicious PDF — malware analysis report

Static analysis result for SHA-256 46bae6f112aba5aa…

MALICIOUS

PDF

98.1 KB Created: 2021-04-13 15:47:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 02876dcf4d0791c44252cf273360ce67 SHA-1: 8be3d8c30910e0efc037f89988c5f25725d70332 SHA-256: 46bae6f112aba5aa3ee64cace302f11c95f835c0cb9973f407b7e2e599ee09a3
256 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1190 Exploit Public-Facing Application

The PDF document contains a lure related to hacking Hikvision DVR passwords, directing users to an external URL. Heuristics indicate a link farm and potential credential harvesting, specifically mentioning MFA lure. The ML classifier and ClamAV detection strongly suggest malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/strik?utm_term=how+to+hack+hikvision+dvr+password PDF link annotation
    • http://motegolev.22web.org/tv_guide_movie_channels_uk.pdfIn PDF document text
    • http://dojoposurubim.22web.org/12th_chemistry_formulas_free_download.pdfIn PDF document text
    • https://winomumamo.weebly.com/uploads/1/3/1/0/131070375/zofopekivulejod-xamatep.pdfIn PDF document text
    • https://fetatoba.weebly.com/uploads/1/3/4/6/134689412/vusifagisidut_jezaponobepi_fatoregopo_pipizuzad.pdfIn PDF document text
    • http://kalewolasufer.22web.org/mridangam_lessons_book.pdfIn PDF document text
    • https://pigodebi.weebly.com/uploads/1/3/4/8/134864190/1f133847eb35.pdfIn PDF document text
    • http://rukafuxofi.iblogger.org/blu-ray_sony_bdp-s1500_manual_en_espaol.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/xidazeze/glaucoma_guidelines_2019.pdfIn PDF document text
    • http://xegefonupekowa.epizy.com/ranotuwo.pdfIn PDF document text
    • https://s3.amazonaws.com/bitajemisajoz/lotirobudor.pdfIn PDF document text
    • https://s3.amazonaws.com/daniwodug/aws_cloud_security_engineer_job_description.pdfIn PDF document text
    • http://putuvapade.epizy.com/archangel_s_heart_free_download.pdfIn PDF document text
    • https://s3.amazonaws.com/nevovumowa/injury_report_nba_golden_state.pdfIn PDF document text
    • http://taxifegizuni.epizy.com/nekopivufemosutafet.pdfIn PDF document text
    • https://s3.amazonaws.com/kovilowab/detilugumutiwixizekilaj.pdfIn PDF document text
    • https://s3.amazonaws.com/topipovikapari/7266970088.pdfIn PDF document text
    • http://robireroruvudi.epizy.com/85244909013.pdfIn PDF document text
    • https://s3.amazonaws.com/rilexazejuzovep/pumaxiw.pdfIn PDF document text
    • http://zitamekoliliwe.rf.gd/podixisekijajavokom.pdfIn PDF document text
    • http://reronagut.epizy.com/vinelawidekiwutavowufa.pdfIn PDF document text
    • http://naledabizozede.epizy.com/34302361894.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013d66.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13D66 5308 bytes
SHA-256: b3856d7f2a4d4f7debdacd945b66a347de1192bef3e398be1459357f29c86bbf
font_01_sfnt_off00014f7f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14F7F 13072 bytes
SHA-256: 1d3bb71059001a3a2c77414b3fe39dbacdf95156bbfa4d2f6606a59547b36e81

Open this report in the interactive analyzer, or submit your own file for analysis.