Malicious PDF — malware analysis report

Static analysis result for SHA-256 88f24cf34a08b614…

MALICIOUS

PDF

111.4 KB Created: 2021-05-21 04:27:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: 0f890b10899e59cda18e5e43ad09fdd2 SHA-1: 6248c0c9e0ad15f1d3a7e5614008adf5b05502f5 SHA-256: 88f24cf34a08b614c3cc26190a6dc2cbcd796d09e9b2770bb590c5d10a9a1f01
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains multiple invisible links that redirect to a URL designed to trick users into downloading a payload, masquerading as a song download. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded URL is the primary indicator of compromise, likely serving as a lure for a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=abcd+hd+video+song+download+pagalworld.com In PDF document text
    • https://cdn-cms.f-static.net/uploads/4376380/normal_5fd61b202cd42.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4407747/normal_5fce12b843d66.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://s3.amazonaws.com/batoragubukepo/poetic_edda_vs_prose_edda.pdfIn PDF document text
    • https://s3.amazonaws.com/mogipegi/22931146124.pdfIn PDF document text
    • https://s3.amazonaws.com/woxotopapozokev/lipoz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/92a6a478-90fb-4eca-8308-e754b996b1f7/formula_para_calcular_area_y_volumen_de_un_prisma_pentagonal.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e8f42b99-b7cf-4224-b8b4-91843cbbf5db/2590577726.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/646c25d5-4cb2-4b7f-9282-12704b74aa49/baldurs_gate_3_xbox_one_release.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/69cdb25b-8d9d-42db-88e5-74ce7228b7d0/filarerujimosu.pdfIn PDF document text
    • https://s3.amazonaws.com/gomakobez/53598276716.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7c315967-c0e4-49a5-bb1f-0dbb8fb0fe5d/the_gnostic_bible.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6d1b8b81-088f-4cc9-9cd2-250aced52ea1/dragon_age_inquisition_best_dagger_schematics.pdfIn PDF document text
    • https://s3.amazonaws.com/jolozidabi/sista_by_charlotte_dipanda.pdfIn PDF document text
    • https://s3.amazonaws.com/jinotugiwomo/uniformes_colegio_mayor_alferez_real.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/91b8dd1c-0992-49ac-bc0f-8f1aad2d9e6b/wild_game_camera_walmart.pdfIn PDF document text
    • https://s3.amazonaws.com/napisakaluja/nokixiwogotevodovod.pdfIn PDF document text
    • https://s3.amazonaws.com/xeropizuwe/tulen.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/77a66580-7842-4c30-9639-94685764f62f/sta-rite_pool_pump_bearing_replacement.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0cd44074-13c7-451a-85c4-c5aecee21d9c/71362594498.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/283b2061-3f51-4451-a058-878fd1fb58e6/delta_table_saw_fence_replacement_parts.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6c4ae5f4-8e80-47c2-bc92-e30ab745e903/is_the_tippmann_a5_a_good_gun.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/12fb23d9-c949-4b70-b394-22ddc4b19608/gozogunuvafag.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001308d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1308D 5800 bytes
SHA-256: 4da4ca01a97ffab00772254d9849c7414c4e6a4ed0e2c3d63d8e888f659272a6
font_01_sfnt_off00014435.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14435 3720 bytes
SHA-256: 6539b129c5cd894636dc8f40f53a156c00c8f46378ab4f137c96d687a1cff6ed
font_02_sfnt_off00014f98.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14F98 11496 bytes
SHA-256: 949d6ece28d10c69940e9bfbcbaa925a80aeb0036d9380affb9514bce628d7b4
font_03_sfnt_off0001741e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1741E 16164 bytes
SHA-256: 6e3fbd491d8b71441998836ddca0d0c102716a221ea14f8143929167ad9a79b3
font_04_sfnt_off00018970.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18970 12324 bytes
SHA-256: d16569f90d95aa5487a25c17132cb8e92cbc72c3338215a5579b944d69b5a42c