Malicious PDF — malware analysis report

Static analysis result for SHA-256 b24d835e505a7ad8…

MALICIOUS

PDF

76.5 KB Created: 2021-05-20 22:54:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 1e5be20330be7d1903f637d79d0f4262 SHA-1: 1cd803fd4e81f2a77c3d4819a36feb5a2da303af SHA-256: b24d835e505a7ad818ab6f67569fdd96cdebd7e386d2da3af15f4861d63dc2e0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://yafferge.ru/strik'. The ML classifier also strongly flagged this PDF as malicious. While no scripts were extracted, the presence of a malicious URL strongly suggests an attempt to lure the user to a compromised site, likely for phishing or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/strik?utm_term=which+is+the+best+book+to+learn+astrology In PDF document text
    • https://static.s123-cdn-static.com/uploads/4460243/normal_60094d40235ab.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412568/normal_6041791967368.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4474205/normal_5fdc70b236470.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4419623/normal_60486f2f22d84.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446634/normal_600e68cea1092.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415326/normal_60182d8a33d98.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4484807/normal_5ff2b99eaeedd.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4409258/normal_5fd08ecd85bf5.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4475739/normal_5fcd44ab226b0.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/5026e71c-d6c0-46b6-9cd3-2133e181cd59/what_are_the_advantages_and_disadvantages_of_cloud_computing_chegg.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/85faf006-c6dd-4dac-9889-470c32139cfc/how_many_floor_trusses_do_i_need.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad090735-c80e-406d-a92e-ce3ccc5192c0/gived.pdfIn PDF document text
    • https://s3.amazonaws.com/suximawo/bejixinufuvosiwugufavanud.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/acb18bce-bbdf-46aa-a891-d07b18a63185/how_to_reset_a_keurig_mini_brewer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/28b9e3a4-6453-452a-9096-09c83871a0c4/fiwum.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/37886433-34ac-4403-bd11-bb33bbdffc2f/lexus_2020_nx_300_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7900d4f2-7a3d-4286-9410-7501fe7a1a4a/the_dark_tower_amazon.pdfIn PDF document text
    • https://s3.amazonaws.com/wapabefizosumi/1749383512.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8304e989-688d-498e-bd80-406d49a61321/does_frank_die_in_the_trials_of_apollo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e099.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE099 5168 bytes
SHA-256: 3e4dadb5c12eeec8114f0614b005104665309bbdcb363e939f4c9736a8003d18
font_01_sfnt_off0000f227.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF227 10628 bytes
SHA-256: df5f20ee81298d6e036d08df9b895b0a3ed67d7a5f7dd0ffe0f3e25ef1d35844
font_02_sfnt_off00011685.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11685 4324 bytes
SHA-256: a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f

Open this report in the interactive analyzer, or submit your own file for analysis.