Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f851405af11124a…

MALICIOUS

PDF

78.0 KB Created: 2021-03-14 03:21:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: 1721b204b34c4f842d9ff419e531e4c7 SHA-1: f3eeb0965464f63184993f107e2bc608105b54bd SHA-256: 8f851405af11124a0863eff88c715291c4d0e7751991345de6ef8fccaafa60dc
252 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of external links, many pointing to disposable hosting, indicating a link farm designed to distribute malicious content or phish users. One critical heuristic identified a link to known malicious redirector infrastructure, specifically 'https://yafferge.ru/123?utm_term=whatsapp+app++now+jio+mobile'. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/123?utm_term=whatsapp+app++now+jio+mobile In PDF document text
    • https://cdn-cms.f-static.net/uploads/4460072/normal_6011bf16b6685.pdfIn PDF document text
    • https://xujupowosorome.weebly.com/uploads/1/3/4/4/134485259/fb0eadc99be9ee9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4464702/normal_6029ee1a5820f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369164/normal_6039da02345d9.pdfIn PDF document text
    • https://golinogejus.weebly.com/uploads/1/3/1/6/131606227/4859671.pdfIn PDF document text
    • http://xexogafuko.22web.org/hooked_inc_strategy_guide.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501998/normal_601e066952cf7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4491414/normal_601486011b388.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446772/normal_602a5813752f4.pdfIn PDF document text
    • https://xubetiduradana.weebly.com/uploads/1/3/0/7/130739761/9305278.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4454544/normal_6031e2d2204fa.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4369330/normal_5fc99507edaf6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/30d090c4-f5b2-412f-b5f4-c5e5df60456f/92599074994.pdfIn PDF document text
    • https://901c4554-6fda-40bf-8344-1f1538f5dc06.filesusr.com/ugd/a76634_881572889944463cbf49e2137dfcd86e.pdf?index=trueIn PDF document text
    • http://buxazub.epizy.com/57055007211.pdfIn PDF document text
    • http://zogupavufun.epizy.com/zanatenoxijobefafojuwi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ad54106-86e4-4c6c-88fc-d04522bbbdab/4472465451.pdfIn PDF document text
    • https://6e345194-e688-4037-aa24-2ff230a16836.filesusr.com/ugd/ce9fe1_c015be53f964411b9c3175cc208fd295.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/29371662-e808-4fec-9972-3a15b2bb39cc/2743983595.pdfIn PDF document text
    • https://c216880a-03a2-4774-ab7e-121c93799e8f.filesusr.com/ugd/b5aed9_7db42cc9cc20498983d00f0615c41a94.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/3cc36100-282c-4f1f-a899-a84a2158cbc8/13883548184.pdfIn PDF document text
    • https://ef4f51cf-aae9-439d-85d5-db2134c8a05d.filesusr.com/ugd/8a9083_d5bea50a15d44133a6d99bfb6026f41e.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efea.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEFEA 5284 bytes
SHA-256: f59492388a535466f71a86436441559fab3f1f606e0e533498751cc6af8913d3
font_01_sfnt_off000101d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101D6 12020 bytes
SHA-256: 17580700ca0231aff995b0eaf81e8062f1a71eae1a1b100203d26bb690e3653a