Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e4c874002e85598…

MALICIOUS

PDF

80.8 KB Created: 2021-05-24 17:43:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-23
MD5: f94ea6f33aa6d5992904b30b11a798a4 SHA-1: 46fe35c2a11092c2fcc5ed11ad90d6cd61ecfc3c SHA-256: 8e4c874002e85598cad4c9a1b4a4ca70f7646217ac7db11141dd3c59beaf2a61
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a malicious redirector link disguised as a helpful guide for installing Netflix on Android. The link directs to 'https://yafferge.ru/strik?utm_term=how+do+i+install+netflix+apk+on+android', which is flagged as malicious. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/strik?utm_term=how+do+i+install+netflix+apk+on+android In PDF document text
    • https://static.s123-cdn-static.com/uploads/4492600/normal_5fcdcba457173.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4452398/normal_5fea385862b97.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/c5f3af63-3c2d-4f7e-9d96-533c72d261f8/80356164198.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cf61e257-d8d7-4973-bc2f-67de15a6ddfd/what_is_the_meaning_of_good_thermal_conductor.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4de4cbd8-042f-430c-94d9-0f0b4a176029/delta_hiring_flight_attendants_2020_indeed.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1128a92a-0a7d-4879-b891-546001c9414e/66492800170.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c36c69f7-bdbb-4d29-8b94-2f185f56dc5f/xogukusuduz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/266a17d4-29f2-43fa-83b4-913717a070bf/how_to_use_infinite_ammo_in_resident_evil_2.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d5abfbba-714b-4103-942a-2aae36fcf55c/how_to_drain_a_porter_cable_air_compressor.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eb259ec7-84b4-427d-a15e-718b48ce7803/vomovazesikoxixosole.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/995f0539-1bdc-4bc1-ae21-85c8a91f0012/34611925422.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/02463b49-72ae-4cac-9995-0608e0c0430f/toro_timecutter_z4200_front_tire_size.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4548b967-52fd-440e-92b3-0297c5975212/how_to_draw_a_portrait_step_by_step_for_beginners.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3dd8ead0-4e79-4922-9476-88a23c2330cb/29654378780.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f386680b-552d-4fcc-afb2-b97ca8269c9a/20528414669.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b4add09d-a99a-4412-9275-68c9410900fe/42340780546.pdfIn PDF document text
    • https://s3.amazonaws.com/tesasubawalozan/47154765215.pdfIn PDF document text
    • https://s3.amazonaws.com/wujafivabipo/android_custom_actionbar.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/45a45394-5e06-4226-a71a-f4dc0ae2ad08/kumisefofivogagufugoka.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4d903789-263d-4a1e-b233-83be0a2f4d64/93261795413.pdfIn PDF document text
    • https://s3.amazonaws.com/tarizirefevifab/hack_avatar_258_cho_android.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4faa3126-7cbe-4642-a3d3-3352c324c18d/92806653728.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f008.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF008 5220 bytes
SHA-256: 4680233a4a60386025e3fe1d0fb645e9172fd53c751c764e3108a07107d04c0f
font_01_sfnt_off000101ed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101ED 22248 bytes
SHA-256: 05b7be1bd511efe9ac88cffa55b54758583dd6765dfe69e7076bf9b0b3b65f4e