Malicious PDF — malware analysis report

Static analysis result for SHA-256 9dd219adf38deb3f…

MALICIOUS

PDF

85.5 KB Created: 2021-03-09 13:28:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: fadd3c4363209c01bbcd6095ea4fecea SHA-1: 46496de5dd815fa7c7b9e1d4111760f60e30444c SHA-256: 9dd219adf38deb3fee910c565dd5a9f7e81c408c4fbdb3180ddcdc1f7ffcbc59
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains numerous embedded links, many of which point to disposable hosting or known malicious redirectors, such as https://crophysi.ru/award?keyword=bullet+journal+online+pdf. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution. The document body, though heavily obfuscated, appears to be a lure related to 'bullet journal online pdf'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=bullet+journal+online+pdf In PDF document text
    • http://dujoxizuzepofom.iblogger.org/dtv_channel_guide_miami.pdfIn PDF document text
    • http://vekirexime.22web.org/93413959612.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://ef2e072a-e8a2-4438-804d-cc750be2e2f6.filesusr.com/ugd/6a22cb_0d69391f439646f99aab7368162e8733.pdf?index=trueIn PDF document text
    • https://8d684a1e-4078-49cd-b336-05adf09473b6.filesusr.com/ugd/2b25e8_5c6064cdfb504463b87217f88b024fbd.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/7d6800e4-300b-4374-b375-5aa9dbc441ca/how_to_get_paid_books_for_free_on_ibooks_with_jailbreak.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a81431de-db29-495c-ab5e-5b4a721e72b7/zejujelupebe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de3465ae-c657-4afe-957b-0aa033d5c191/how_to_write_a_business_report_to_the_board_of_directors.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7b0ce5a1-66aa-44c7-ae8f-a1a033b02c0f/bowofuvejimasuxi.pdfIn PDF document text
    • https://4c6480a9-ccec-4c20-853c-cc48681c44ad.filesusr.com/ugd/935adc_4255dcf53d774a95933ee36abf659e5b.pdf?index=trueIn PDF document text
    • https://e1bd05e7-a2ed-43df-b5fc-9bc8ee0b1a84.filesusr.com/ugd/08acf3_bc698ca20b7141abbf8258b4f44dc227.pdf?index=trueIn PDF document text
    • http://nerokigonone.rf.gd/samsung_rf267aers_size.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2d95885a-33fc-422e-868d-58710293e6c7/dimugeveviwojed.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8287c791-462f-427e-b138-b11c2c8c9fc1/61995992458.pdfIn PDF document text
    • http://fesejawezu.rf.gd/warhammer_40k_9th_edition_core_rulebook_vk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a89d33a-dbbd-43b1-9179-ee4adeec0f97/66046209557.pdfIn PDF document text
    • http://foliminuga.epizy.com/arise_asia_cup_2014_game_free.pdfIn PDF document text
    • https://01477de9-116b-42a6-a62c-54244336611e.filesusr.com/ugd/dea9e9_2b0bbbea622244c1b4ee9161a27920c1.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/442da5e3-c2b9-4bc4-8d65-49be56584c1f/betikuk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/82e7224c-73b7-4203-bd97-1453f20ca8ef/vebinoza.pdfIn PDF document text
    • https://b9eb3541-094c-4606-b101-17c2291fd6e1.filesusr.com/ugd/a18601_2c2d8c057633442ab0d567dfeae6f96b.pdf?index=trueIn PDF document text
    • https://8d537faf-e869-4ed9-a29f-988560fab1dc.filesusr.com/ugd/0cce51_8c0e376d3d454451965869f57c175099.pdf?index=trueIn PDF document text
    • https://ecf1b359-4982-44d9-836f-7e6f5fec4aa1.filesusr.com/ugd/da15c8_6240c88ccf0849589ed01b01d4a19358.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee4d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE4D 4864 bytes
SHA-256: a11fec4bc6754bfbb98c2a54dee045407815c2f668ff9d6c352aa827fe867247
font_01_sfnt_off0000fee7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFEE7 11252 bytes
SHA-256: 15b9a3878fa35b7e10f4c9e345db115c882c17b407e089d5486d35a65629c2b5
font_02_sfnt_off00012514.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12514 16232 bytes
SHA-256: cc032a1d7efe9f52c63bdca4360dad9aff78fb14a47167d9e0089e6cc9416013
font_03_sfnt_off00013a2f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13A2F 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3

Open this report in the interactive analyzer, or submit your own file for analysis.