Malicious PDF — malware analysis report

Static analysis result for SHA-256 4dc0427cd26e34d1…

MALICIOUS

PDF

87.2 KB Created: 2021-05-20 11:31:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f6e5636c23496b4a6f51d13f384f0ab SHA-1: 523d54eadb5e4c9947eafcdad33050496bfad798 SHA-256: 4dc0427cd26e34d1136aec02cc3313330bfc274ac774fe1f49a70485a092e8af
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one prominent link pointing to 'zajinet.ru' disguised as a firmware download. This, combined with the ClamAV detection and ML classifier flagging, strongly suggests a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and heuristic firings indicate malicious intent, likely involving the embedded URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9970

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=samsung+galaxy+tab+3+sm-t210r+firmware+free+download
    • https://zukodefikarux.weebly.com/uploads/1/3/4/4/134498552/vivinuwiradagawixap.pdf
    • https://cdn-cms.f-static.net/uploads/4455907/normal_602ef3096e98e.pdf
    • https://dorakipep.weebly.com/uploads/1/3/4/7/134747047/40d149e4.pdf
    • https://cdn-cms.f-static.net/uploads/4366632/normal_6066933d380c5.pdf
    • https://cdn-cms.f-static.net/uploads/4378608/normal_5fda039db87c2.pdf
    • https://static.s123-cdn-static.com/uploads/4403263/normal_5fc6d54fefd25.pdf
    • https://static.s123-cdn-static.com/uploads/4455886/normal_5fcdadf0a83d4.pdf
    • https://mamasikixatok.weebly.com/uploads/1/3/5/9/135961158/0e97bcb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/870efa59-591b-4b3e-9f67-5113a0fd5351/how_do_i_remote_start_my_lexus_rx350.pdf
    • https://s3.amazonaws.com/sikuva/steam_cleaners_hoover_floormate_deluxe_hard_floor_cleaner_fh40150.pdf
    • https://uploads.strikinglycdn.com/files/b91ed0cc-2a04-42f6-b67e-10c836390f7c/ferrari_812_superfast_price_malaysia.pdf
    • https://uploads.strikinglycdn.com/files/b634fe5a-f441-4a56-ab21-b8b13cbba8bb/73009392462.pdf
    • https://s3.amazonaws.com/vixuwogetiv/how_many_bytes_in_a_32_bit_word.pdf
    • https://uploads.strikinglycdn.com/files/1a6971d4-fb3e-44fa-b4e8-fb95ef779a8d/cva_wolf_accuracy_issues.pdf
    • https://s3.amazonaws.com/lazesej/kafka_1922_short_story.pdf
    • https://uploads.strikinglycdn.com/files/acd3f7e9-91a2-4f47-b2b4-7c858c9f1fcc/last_child_in_the_woods_genre.pdf
    • https://s3.amazonaws.com/vatakefojunib/bajirao_mastani_movie_in_tamilyogi.pdf
    • https://uploads.strikinglycdn.com/files/9ba466d7-512f-453d-9d08-8f2fc61d0537/lanajizolalumo.pdf
    • https://uploads.strikinglycdn.com/files/848827c9-8f15-416f-8b9c-aa57093ae527/tisewegowapekanobariju.pdf
    • https://uploads.strikinglycdn.com/files/c0daffa7-bfa4-4e60-bb51-813542a0ce40/52939649155.pdf
    • https://uploads.strikinglycdn.com/files/0c3e2d48-924f-4300-bb53-9c480778150f/rca_opal_mp3_player_manual.pdf
    • https://uploads.strikinglycdn.com/files/abc54e1f-80f4-46fc-8bea-1908bbac2512/zibitivuwosuxuruzomope.pdf
    • https://uploads.strikinglycdn.com/files/08f85543-cd0e-4657-8de9-28d92fdfc978/domifupurotifa.pdf
    • https://s3.amazonaws.com/sifawekujiki/57693088540.pdf
    • https://uploads.strikinglycdn.com/files/26a89ee1-2ce3-4856-b09c-d2e35f47630b/where_do_dermestid_beetles_live.pdf
    • https://uploads.strikinglycdn.com/files/29ec0bdd-be49-4181-84fc-95aad19740f5/jififuzoterune.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000113de.bin
ea6999a6b0b4e2b3810cbe75171f6bded83e95f49242191f4682ba5fb64ee766		 pdf-font-stream PDF embedded font (sfnt) at offset 0x113DE 6252 bytes
font_01_sfnt_off00012931.bin
974b081d173c3779fbe24b1be0c4b4c6f859b21a6714aa189f541c0ad3b267a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12931 11136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.