Malicious PDF — malware analysis report

Static analysis result for SHA-256 796c71041c6cdd7c…

MALICIOUS

PDF

73.7 KB Created: 2021-03-29 10:42:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: fd23ecbfea059b431ddded62d4b10d93 SHA-1: bb34781a20633023349b60d6c0386d348ac13eb5 SHA-256: 796c71041c6cdd7c90820a704a1dd763e15649a6d222f794eae093890913f02d
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains an embedded URL that redirects to a download lure, disguised as educational worksheets for kindergarten. The presence of PDF_SEO_UTM_REDIRECTOR_LINK heuristic further supports the phishing lure. No scripts were extracted, but the embedded URL is the primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=cardinal+direction+worksheets+for+kindergarten PDF link annotation
    • http://pokovata.scienceontheweb.net/zaletolululatefugode.pdfIn PDF document text
    • http://gilumesu.mypressonline.com/hernia_hiatal_dieta.pdfIn PDF document text
    • http://zisapawiwako.mypressonline.com/anarchy_state_and_utopia_nozick.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413375/normal_600a5b27d47de.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4393359/normal_6008acc9ead5f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476939/normal_602ce2c993891.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489032/normal_60153a9c9bfd7.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf6348be-51cf-47ff-9a0f-106bf70492b2/negadopawawefogabed.pdfIn PDF document text
    • http://lopafulobitap.atwebpages.com/el_capitalismo_karl_marx.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6af05f0b-b7a1-46e6-bd2f-cfbfa34ef579/boy_scouts_of_america_job_posting.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1c40d182-15b6-4289-901d-bc43cb463864/4087540118.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/97266016-eb3d-4d61-b2fc-889568bff3cd/rapujoxexazoxafelujofax.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c9378ccf-b43b-4c84-8acf-9229fdc25d44/how_to_reset_zmodo_camera.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1cd29f31-a772-48a8-8a1f-445cac14dc3f/craftsman_garage_door_opener_1_2_hp.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/349650de-5b58-45d9-a2ec-b89b082cf037/27396349044.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/65a17d6c-4c1c-4d3d-a349-c5031ef13c30/thank_you_lord_for_loving_me_hymn_lyrics.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/47b72487-ea5c-4372-870e-3e61aeea5c1c/37441396154.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4e9d2480-b712-470e-8ac1-424f643fdba3/dometic_ccc2_thermostat_wiring_diagram.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/91a3eac5-abee-432d-b32f-6444a2f0eae1/wd_my_cloud_usb_supported_file_system.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cd289dc0-6a1e-411b-a013-9dfe10ed3515/kusugalifepetomizade.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/838e3f76-7432-4d3d-8fc2-30d853c96c36/diccionario_espaol_en_descargar_gratis.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e1bb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE1BB 5344 bytes
SHA-256: 3f8659525e11380b03bc7c576f940d6ecdffd7694d1858e064139d1af1c1f8c6
font_01_sfnt_off0000f3f5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF3F5 10908 bytes
SHA-256: f6dd064ce0b8bb1d15685364d67afcb174a7712640bcfaea4dc157a8398e3efa