Malicious PDF — malware analysis report

Static analysis result for SHA-256 91b7dacd29928c9d…

MALICIOUS

PDF

77.3 KB Created: 2021-03-20 23:18:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: b9c861c6d0b29b73613736a5bf3ecc45 SHA-1: b3135a9942b4dde4d697d8425503a0c104dc9428 SHA-256: 91b7dacd29928c9d3bac031409236050df7ae1052797434035193fa70b50021c
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it's a malicious redirector and phishing attempt, specifically using a lure about 'community health centers pinellas county fl'. The primary malicious URL identified is https://yafferge.ru/strik?utm_term=community+health+centers+pinellas+county+fl, which is flagged as a known malicious redirector. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/strik?utm_term=community+health+centers+pinellas+county+fl In PDF document text
    • https://cdn.sqhk.co/dowivita/enWZIsJ/green_panda_bamboo.pdfIn PDF document text
    • https://cdn.sqhk.co/mubogasaven/fwgiRYQ/34643993546.pdfIn PDF document text
    • https://cdn.sqhk.co/mozigizax/AggWAiF/dazevate.pdfIn PDF document text
    • https://cdn.sqhk.co/divojimo/hevOheA/9539572282.pdfIn PDF document text
    • https://cdn.sqhk.co/xubuzivo/ghjh2gj/a1_size_cardboard_sheets.pdfIn PDF document text
    • https://cdn.sqhk.co/fapetemiji/kijghhg/occupational_therapy_schools_online.pdfIn PDF document text
    • https://cdn.sqhk.co/fepogosu/ifggSib/simple_and_clean_piano_sheet_music.pdfIn PDF document text
    • https://cdn.sqhk.co/vilitemeru/ihUhdWk/megan_is_missing_true_story_news.pdfIn PDF document text
    • https://cdn.sqhk.co/vawapisoxe/wihasmg/messi_vs_ronaldo_free_kick_goals_statistics.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/08d569f9-f956-447d-9af6-5e7e31d7b587/19870073476.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4e37c4cf-4c24-4979-9bcf-b823b60f7e0a/pdf_oxford_dictionary_english_to_urdu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7e5a7e56-64ce-452d-b74c-5a503b52a374/xodaligirumafawi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3cd19dcc-9f1e-4de6-acfc-84b76769fba4/15414479807.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6544379d-a8bc-476d-9876-71c59d9b945f/how_to_quit_smoking_easy_and_fast.pdfIn PDF document text
    • https://s3.amazonaws.com/tawosutosuxi/77859440846.pdfIn PDF document text
    • https://s3.amazonaws.com/penale/macos_catalina_10._15_gm_seed.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/05b5c2f3-2e45-4152-9ca9-b3cf302d5677/resam.pdfIn PDF document text
    • https://s3.amazonaws.com/tomaxade/30120600584.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae8a19d4-c6ec-4eac-ad73-d54aa63ac6f5/71677461831.pdfIn PDF document text
    • https://s3.amazonaws.com/risisipajole/14551772726.pdfIn PDF document text
    • https://s3.amazonaws.com/vigevot/customer_appreciation_certificates_templates.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c5d817bb-d64b-4599-932b-756869914f6d/how_much_is_a_2000_watt_generator.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de466395-b93a-4955-b816-eb3d77cf78c3/37098901228.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8b37f97d-310f-46b1-b70b-1065a9bb6108/33956798468.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f7ae066-15d1-4a4e-9eef-b15a4c14752a/what_is_the_food_safety_act_uk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e815b9bf-7d29-4c86-bcaa-281579f15ceb/jotusokajanovenu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f020.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF020 5260 bytes
SHA-256: c1887fc3c45128bd2ebb1ff28346c1539d430462ac0be7c798ec321847c74acf
font_01_sfnt_off000101dc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101DC 11176 bytes
SHA-256: 4c3b47878dffa150cbf94372f64306355a084333005699c465d63e93654390be