Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a233e38ae3b5e3e…

MALICIOUS

PDF

76.3 KB Created: 2021-05-25 10:50:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 107a898a108af408eeda9a3ff4444797 SHA-1: 07c25d2ccddb042840c0c7193aad65058306dbc9 SHA-256: 8a233e38ae3b5e3e69f1568325f2a07822bc1a5149de24e47bdfa4b54027011d
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing numerous external links, flagged as a critical heuristic for PDF SEO link farms. The ML classifier and ClamAV detection strongly indicate maliciousness. The embedded URLs, particularly 'https://kuzutuzo.ru/strik?utm_term=capstone+project+report+pdf', suggest a phishing or redirection attempt, likely disguised as a report to trick users into clicking.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=capstone+project+report+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4413590/normal_6060bb43bfd6c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4426941/normal_5fdddb43d395d.pdfIn PDF document text
    • https://jazawimap.weebly.com/uploads/1/3/5/3/135346256/turigiviweben_pepuvirevivozej.pdfIn PDF document text
    • https://tewuwixo.weebly.com/uploads/1/3/4/6/134629191/2317083.pdfIn PDF document text
    • https://tobivuzulukimu.weebly.com/uploads/1/3/1/3/131384599/vejisawamiti-mitidilenowon.pdfIn PDF document text
    • https://xadajosawot.weebly.com/uploads/1/3/1/6/131636584/4908072.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/0aa04f11-e227-40ba-bbc6-73cd7a593485/39738255068.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ac3f096b-6e7f-4a66-af5a-9707f0343137/74048818709.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fa63546d-09fa-4a78-b707-c6c6730aff6b/donupo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/842f6774-0105-40bf-a7ba-bde6414fead9/problemas_porcentajes_6_primaria_resueltos.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ea4e25c7-c88a-4bd2-b634-7962b20b0599/dmv_written_test_hardest_questions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b8ce1018-9157-4a6b-a530-6bb7dece791e/why_do_jehovah_witness_not_celebrate_christmas.pdfIn PDF document text
    • https://s3.amazonaws.com/faduxodiwo/bhojpuri_film_nirahua_hindustani.pdfIn PDF document text
    • https://s3.amazonaws.com/vibuvomomuv/dish_network_tv_guide_tonight.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2dbcd44-f990-43db-befd-dda4b15b0ca5/singer_futura_xl-550_price_in_india.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad8c82b2-92c2-4037-8c61-f15c248af482/hp_laserjet_2100_pcl6_treiber.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eead.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEEAD 5096 bytes
SHA-256: 0fc9a360848e9ecebc31773ec25cf0c501266839a87663775995eb83eacd6721
font_01_sfnt_off00010011.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10011 10712 bytes
SHA-256: cffc82b78a9cf5506c87cbe16d78ab978d7ceb845c12b5a001c1e51661e3788b