Malicious PDF — malware analysis report

Static analysis result for SHA-256 60bf22e761ce161e…

MALICIOUS

PDF

81.1 KB Created: 2021-03-28 20:17:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0423c7b7b8ce00aca2ea32c220cfaec5 SHA-1: e402eb3a201410103a09a13d9d3dfe9c16870760 SHA-256: 60bf22e761ce161ed53cbe683c4609ebc16f87594a3ab661453c6c7f09356d95
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many of which are to other PDF files, suggesting a link farm or SEO manipulation tactic. The primary external URL, https://zajinet.ru/award?keyword=class+12+maths+syllabus+2020+20+pdf, appears to be the main lure. No scripts were extracted, but the presence of numerous external links indicates a potential for further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/award?keyword=class+12+maths+syllabus+2020+20+pdf
    • http://kidulukapaxarej.iblogger.org/wokugegixubimogimajiriga.pdf
    • http://rovanenafet.getenjoyment.net/82625533520.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://d102a0f2-001f-4998-bb0a-88ac30ac05b5.filesusr.com/ugd/771ea4_2a74c0c1dcc7479f9ce71d5bd5b779ed.pdf?index=true
    • https://uploads.strikinglycdn.com/files/840fbdcb-9e15-4e03-81a5-76e967565e47/dir-880l_a2_dd-wrt.pdf
    • http://voxinakono.rf.gd/cavatina_john_williams.pdf
    • https://uploads.strikinglycdn.com/files/856b126f-ed68-436b-a44a-e4f9b2357407/nipiwegano.pdf
    • https://5e9c932d-19a8-4d5a-a970-d4bc0bcb832b.filesusr.com/ugd/bae0a0_c488806bac104f68a2d8ea63166c93cc.pdf?index=true
    • https://s3.amazonaws.com/lodazojamuva/development_of_sociology.pdf
    • https://uploads.strikinglycdn.com/files/3c2e1479-cd52-4be2-9d2d-81bba48b6856/jileloti.pdf
    • https://uploads.strikinglycdn.com/files/9bb48f88-8d2d-400c-874a-5f3570dbcdb0/sat_essay_answer_sheet.pdf
    • https://uploads.strikinglycdn.com/files/d1e03b0e-76a4-4bb2-a854-4264e94f4f9d/72765513463.pdf
    • https://uploads.strikinglycdn.com/files/194c23bf-059e-4ffb-9cc2-f06e3760abe3/meloremiverok.pdf
    • https://s3.amazonaws.com/muxegeza/lagu_armand_maulana_11_januari.pdf
    • https://318abaa7-a496-4882-a5ef-186b1d719b20.filesusr.com/ugd/ff2e65_d26ea5e7483b483cb2ed67e3cb8dc997.pdf?index=true
    • http://vidugozu.atwebpages.com/how_to_backup_windows_10_operating_system.pdf
    • https://uploads.strikinglycdn.com/files/dc135c1b-0b11-402b-bc24-d0dbd47d1ecd/86727179680.pdf
    • http://solezod.myartsonline.com/leaves_of_grass_full_book.pdf
    • https://s3.amazonaws.com/buxoparadazegu/full_form_of_abbreviations.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec79.bin
7cab8f76158637b21cc4f55754268c43da15464e0c23f4f9c2e566ee5ea31475		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC79 5660 bytes
font_01_sfnt_off0000ff99.bin
5e6050d0bb57d2811033506030df6b94ae5e9793aecb9d99177f90078ecea5ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF99 10988 bytes
font_02_sfnt_off00012537.bin
df590052af125b0e4500c60a18a9e3cd7fa41473730e56b8c7a0a5a9b2f2977b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12537 4304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.