Malicious PDF — malware analysis report

Static analysis result for SHA-256 49496e6ec96a9d70…

MALICIOUS

PDF

78.6 KB Created: 2021-06-05 21:05:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 1b0cf2d30ea12ef6f0ddb9afe586e5be SHA-1: 52967ab0b1f65c20b2dea8ecbdb015978dff5e2d SHA-256: 49496e6ec96a9d701a7667c8e7767a766cd87852104afa9d801c0006a35f03c1
226 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1539 Steal or Harvest Credentials

The PDF file contains numerous external links, many pointing to disposable hosting, suggesting a link farm designed to host phishing lures. The 'SE_MFA_LURE' heuristic specifically indicates that the document is designed to harvest credentials by impersonating a service that requires MFA or a one-time code. The embedded URL `https://irlanc.ru/pbw?utm_term=how+to+fill+income+certificate+form+haryana` is likely part of this phishing infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/pbw?utm_term=how+to+fill+income+certificate+form+haryana PDF link annotation
    • https://duguzimelape.weebly.com/uploads/1/3/4/6/134666192/jesarunaki_tujizon_voroxaluzabuwup.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4390637/normal_603ff7c3ad4d7.pdfIn PDF document text
    • https://bufivenejolerad.weebly.com/uploads/1/3/4/7/134709937/zabadirokidoweti.pdfIn PDF document text
    • https://lifalaril.weebly.com/uploads/1/3/4/8/134883644/ae2a0b7bcac1e1c.pdfIn PDF document text
    • https://static.s123-cdn-static-d.com/uploads/4390324/normal_60b0d22f24acc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4492897/normal_5ff8839e13a4b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4403127/normal_5fe0e0e981c5c.pdfIn PDF document text
    • https://sibezabivodigif.weebly.com/uploads/1/3/1/4/131407310/d55f426f5b660.pdfIn PDF document text
    • https://ribuxelezisif.weebly.com/uploads/1/3/4/4/134470012/5476962.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4368469/normal_5ff16baa25b96.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/64f492d3-b331-42eb-8628-c6336ae8458a/60518970609.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/10d5acd8-1737-40e3-9d60-2c5af0ea8b3d/best_novels_to_improve_english_vocabulary_for_beginners.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9897bf91-1ae8-4129-876e-e11d3da46110/how_to_mod_diablo_2_lod_single_player.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/af8de6da-2534-4ab7-a060-d184252b771d/how_to_draw_manga_characters_a_beginners_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dcc2a90d-48aa-482b-895b-d925998086b6/lonomalefa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/17704338-d030-4342-b92e-6f8c37def325/beauty_is_in_the_eye_of_the_beholder_dd.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/66a24b46-bca4-4a25-b21c-55351ab4b35b/spanish_family_vocabulary_games.pdfIn PDF document text
    • http://jajisaparev.pbworks.com/w/file/fetch/144417720/monapabut.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/50f8f696-33cc-401b-b233-48594918ac40/minecraft_mod_1.12_2_comes_alive_espaol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/80fd56ae-f572-4348-8e84-eec4af8d2dcb/jawobubanuzavapomelikepel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8f35f82e-5978-4ab1-8ad2-a11f7588b7c2/theory_and_practice_of_counseling_and_psychotherapy_ebook.pdfIn PDF document text
    • http://tusoxefum.pbworks.com/w/file/fetch/144473808/dixagezebuzutevudomuwig.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9c700c6f-095b-4adc-bc9a-258fd83ebb3d/perfect_fingerstyle_tabs.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6f7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6F7 5096 bytes
SHA-256: 91b90e0ac614c4a8c0d131cbce28e3a30fb06dd90f6ab942f8a4e95b479e23e4
font_01_sfnt_off00010836.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10836 10736 bytes
SHA-256: 00c9dd231bc3a17908d7d3a1c5bef6171843163f84255101b455d7c095746b89