Malicious PDF — malware analysis report

Static analysis result for SHA-256 830aad809166a201…

MALICIOUS

PDF

70.5 KB Created: 2021-03-14 14:36:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-02
MD5: 5d2c0bdf51f10ef30ae6967da7330433 SHA-1: 026e4ad3c4a0c6b55b5695be07ca1e50d17470c5 SHA-256: 830aad809166a201931c54009042471748773a11537d107f3bdc1a010141e4af
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for Pdf.Phishing.Trojan and an ML classifier indicating maliciousness. It contains a large number of external links, suggesting a link farm or phishing attempt, with a primary suspicious URL being https://xajibur.ru/award?keyword=bastien+piano+basics+theory+primer+level+pdf. The presence of PDF_SEO_LINK_FARM heuristic indicates a mass of external PDF links, likely to manipulate search engine results or redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/award?keyword=bastien+piano+basics+theory+primer+level+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4445742/normal_6012fbfc86120.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4481528/normal_5ff5531c6f4bb.pdfIn PDF document text
    • https://bimefitovaj.weebly.com/uploads/1/3/1/4/131437299/62877f35720abb4.pdfIn PDF document text
    • https://taxusuxegob.weebly.com/uploads/1/3/3/9/133997122/ninip_kafevarozesazu.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4491665/normal_5ff23a5bca26b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386849/normal_6015803e1b379.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4404966/normal_6006530198a67.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/gewisetug/information_systems_computer_applications_clep.pdfIn PDF document text
    • https://s3.amazonaws.com/tanikanaw/henderson_county_nc_crime_reports.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/162eefbd-8188-4503-bbe7-fd37b597e2ac/excalibur_food_dehydrator_instruction_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/wazotojemov/boom_boom_dance_momoland_free.pdfIn PDF document text
    • https://s3.amazonaws.com/xamapebonijos/how_are_crepuscular_rays_formed.pdfIn PDF document text
    • https://73e25548-3913-4bbb-aa69-a1b25f69568d.filesusr.com/ugd/cece23_6023bae38f0d47bdbaf0644b09370a4f.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gulapore/cheat_sheet_pandas_dataframe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf6d875e-4f9a-4660-8783-298e6128983b/55348665354.pdfIn PDF document text
    • https://s3.amazonaws.com/povelenavuviw/idsa_guidelines_clostridium_difficile_2018.pdfIn PDF document text
    • https://a91873a8-1f5b-4151-915d-af39eb211f25.filesusr.com/ugd/3f80ec_ef2d3f0818fe4e7291b2f5805a981d92.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/807ba3a3-bd99-427d-a61c-81d58be85848/eatsmart_precision_digital_bathroom_scale_troubleshooting.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9658cc0a-5862-41a2-866f-afb299f07ed7/vince_gironda_diet_steak_and_eggs.pdfIn PDF document text
    • https://s3.amazonaws.com/xelimewat/bwt_water_filter_pitcher_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/kalanejaxutilif/50211301976.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d349.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD349 5744 bytes
SHA-256: 83977cfe2a4a5484f3fc9d8b61f73fe4e6a8c7744008ed1bdb2f3e28e5616fd4
font_01_sfnt_off0000e6af.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE6AF 10476 bytes
SHA-256: 489471acc8bdc8fc1b6f4754d44a6ed4d5f2b7be31cf7e7bd0e8bb3e41515168