Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae780c41e740922d…

MALICIOUS

PDF

85.0 KB Created: 2021-04-03 19:13:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: 2084b189408cc74329a7ff2da8a87c43 SHA-1: c7c4c9a572f4170ab7828314ff18bc4aacf0ce59 SHA-256: ae780c41e740922ddc5e58752c8010c10e87216783e3381bdfb1e9159977de64
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded URLs and is flagged by heuristics as a link farm and a potential phishing/malicious document. The ML classifier and ClamAV detection strongly indicate malicious intent. The primary URL, 'https://zajinet.ru/award?keyword=affinity+photo+tutorial+pdf+deutsch', suggests a lure related to a tutorial, aiming to trick users into visiting a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/award?keyword=affinity+photo+tutorial+pdf+deutsch PDF link annotation
    • http://usblighter24.site/manual_burris_eliminator_3ed98u.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4390323/normal_6022eaa9431e0.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4459185/normal_6008ef4abde5c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501212/normal_6033e173f1869.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413125/normal_6060b3d202c17.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4474470/normal_60527dc9885c8.pdfIn PDF document text
    • http://autokenn.com/ravemuniralivomosawak0c3kn.pdfIn PDF document text
    • http://makamar.tech/housekeeping_manager_job_descriptionojjtr.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a2d0672-d249-4a1a-816a-f8738b7d4e59/94355938598.pdfIn PDF document text
    • http://sajumapudetuji.rf.gd/kuwulaxetebowo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d092ed0d-d811-402f-8deb-1b26e942dbc6/thermo_king_service_near_me.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/be49f5aa-97b4-452e-aa79-f8a08715eb14/do_flammable_storage_cabinets_have_to_be_grounded.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c85012d2-fe25-48a6-892f-5fdada854de6/nespresso_lattissima_one_espresso_machine_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/25024007-56e9-46ee-94a4-37625267f1a9/bear_archery_vast_rth_review.pdfIn PDF document text
    • http://xipipowateselok.epizy.com/cold_rolled_stainless_steel_sheet_thickness_tolerance.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a3024791-e9d2-480d-8246-6467c98489a7/how_to_add_pictures_to_a_photo_on_iphone.pdfIn PDF document text
    • http://xuvuxurim.epizy.com/kevofudubiledulezagawej.pdfIn PDF document text
    • http://zewipurorafe.epizy.com/86187157985.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7da69cf8-712d-4e11-bef5-2fd4e814b2d6/philips_norelco_series_7000_beard_trimmer_series_7200.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ac5fc46b-2898-415c-9e8c-94284b54ac23/jigisibodagejugenebilari.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/da2da255-074f-4b58-8bbb-55c17bed0ebe/kohler_generator_parts_by_serial_number.pdfIn PDF document text
    • http://rebivik.epizy.com/38408240933.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/770f7307-809c-443f-a0cf-11e6d3249828/53415949274.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f20f57a3-a3b3-43d4-9362-744919ecf707/flowers_for_algernon_short_story_audio.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010374.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10374 5336 bytes
SHA-256: 06b3b501e5cc3e887c1415888e473820c84f67728da7509c6108ac3c855fbeb3
font_01_sfnt_off00011599.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11599 1800 bytes
SHA-256: e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d
font_02_sfnt_off00011e27.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11E27 11628 bytes
SHA-256: 0357d8551d365564c5bc606c9de6d2b282f3fce5f41fe8bfcd2644a264f7a217