Malicious PDF — malware analysis report

Static analysis result for SHA-256 72222294691176e1…

MALICIOUS

PDF

78.9 KB Created: 2021-03-23 20:29:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 13345224fd3fe98a94ccebd5a7260499 SHA-1: 4f4d889c6e4e4a60db99fefb0ed8b2322e99e20f SHA-256: 72222294691176e14d741bb87243c9df022f4a97fccfcaf256dff5815bfa3ab9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains a heuristic firing for an external URI pointing to 'zajinet.ru', which is suspicious given the context of a 'core banking services pdf' lure. Additionally, a critical heuristic identified a mass external PDF link farm, suggesting a SEO poisoning or spamming campaign. ClamAV also detected this as 'Pdf.Phishing.Trojan'. While no scripts were explicitly extracted, the PDF structure and embedded links indicate a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/award?keyword=core+banking+services+pdf
    • http://bumefivaloso.scienceontheweb.net/69091397653.pdf
    • http://betijeduw.getenjoyment.net/bulubirotobetinevegurediz.pdf
    • http://psylath.com/sca_roman_garb9ydjz.pdf
    • http://cookwellbakewell.com/32814585999hrazk.pdf
    • http://workbykoder.xyz/tebobmmtif.pdf
    • http://trackcreditscore.info/62058672566e24br.pdf
    • http://zarudofafibitov.mywebcommunity.org/bstc_admit_card_2020_name_wise_download.pdf
    • http://giftcard-sale.store/ben_howards_breathtaking_performance_of_end_of_the_affair_lyricssdcbz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/muvazi/59322324015.pdf
    • https://19f621d4-ab03-49b5-bf1d-c78de40104d4.filesusr.com/ugd/bc84a3_dfb779185e434fc89a193ba1edf58129.pdf?index=true
    • https://234a0c07-d908-4261-bb83-16b3c96a9b04.filesusr.com/ugd/73e0e6_fd327db6a216482bbba6185e5af3450d.pdf?index=true
    • https://s3.amazonaws.com/vuterijoze/13817517734.pdf
    • https://s3.amazonaws.com/vojapu/full_screen_caller_id_pro_apk_cracked.pdf
    • https://7a1f2a0d-094a-4466-88af-72a4af93b9fa.filesusr.com/ugd/22739b_2d49db68c60a444696a2af58cd2b2558.pdf?index=true
    • https://fea67d75-dd3b-4bdd-af05-748e92ec8a52.filesusr.com/ugd/05900a_444cba642969481cbbfe0b1ea14c348c.pdf?index=true
    • https://s3.amazonaws.com/rirusozo/defying_gravity_sheet_music.pdf
    • https://da99f664-88c7-4a27-98aa-0bbcec2e8f57.filesusr.com/ugd/66f3f9_9a08b261e9dc4f1c8480fcf987d19dd8.pdf?index=true
    • https://f05e0dbb-21cf-40ea-8b71-00b8d6f49a3b.filesusr.com/ugd/b09e1d_a6a2f69764da47d2be03f68d8f25dba6.pdf?index=true
    • https://828c6a01-da61-4814-986a-f72e64f4f334.filesusr.com/ugd/cdfdba_1e33dc674a304053bc2c8f4f8af0ce41.pdf?index=true
    • https://uploads.strikinglycdn.com/files/405bc564-d1d5-41aa-a395-fea2e285ede3/graco_magnum_project_painter_plus_sprayer_review.pdf
    • https://a146b927-ed54-472d-b3a8-6b137e313b92.filesusr.com/ugd/4d400c_e876e9e6387945c8b56f4e0ed8d04eae.pdf?index=true
    • https://s3.amazonaws.com/nafamaragisek/44285084409.pdf
    • https://uploads.strikinglycdn.com/files/ad51bd03-9c52-4670-a832-df1dcb09aa8c/what_qualifications_do_i_need_to_be_a_book_illustrator.pdf
    • https://uploads.strikinglycdn.com/files/b4520b04-3ec1-4e46-9f10-efc6bca3fa30/19612662520.pdf
    • https://2efabd41-1f95-43d0-8245-5f8eb9267247.filesusr.com/ugd/2f4ddf_3d77622c0a164c4288ed8009e5537595.pdf?index=true
    • https://37b1cabf-41b6-4e27-befa-0fe7335ed416.filesusr.com/ugd/9d05b5_75aaf5eb22494a1abe3a133c92a18f53.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f443.bin
7a193380b82065654a17b39e253aafffc32f39394940a64ae4d20274a442d85f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF443 5460 bytes
font_01_sfnt_off000106eb.bin
5b7217e96a4077036e7148d1b3bbda03d42819fe446b8da0b665a75ad1debd15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106EB 10888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.