Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8bb4794aed10c0f…

MALICIOUS

PDF

79.0 KB Created: 2021-03-29 14:06:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: 070764b76e958279ed9159c0190c7592 SHA-1: d88c63278aa9c1cb6a629e6eda98ea81880ae214 SHA-256: b8bb4794aed10c0f9ccc6d21bc2782db7c82a1b762f6e96c5586741675b958a3
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which point to SEO-optimized redirectors designed to phish users or distribute malware. The heuristic 'PDF_SEO_LINK_FARM' and 'PDF_SEO_UTM_REDIRECTOR_LINK' indicate a deliberate attempt to create a link farm for malicious purposes. The primary malicious URL identified is https://zajinet.ru/wix?keyword=ohio+county+numbers+50, which is likely used to host or redirect to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=ohio+county+numbers+50 PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4443814/normal_602df6f060ee4.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4408176/normal_5ffef1e832cd1.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/7e711970-327b-402e-8f2d-a8acd39151d0/grammar_quiz_grade_6.pdfIn PDF document text
    • https://s3.amazonaws.com/gajabedafot/world_war_z_ps4_gamespot.pdfIn PDF document text
    • https://s3.amazonaws.com/bezutu/87429211630.pdfIn PDF document text
    • https://s3.amazonaws.com/tezude/xutaxobetolini.pdfIn PDF document text
    • https://s3.amazonaws.com/tokatefozude/79973367677.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3884191e-1b19-44b1-bc59-9c70d694f59a/16426463563.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7b962be1-c21a-4dc1-9f90-8a4fefcecf43/2012_toyota_highlander_owners_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/zamuriza/what_is_the_meaning_of_the_corporate_veil.pdfIn PDF document text
    • https://s3.amazonaws.com/zabejuvijolu/fananusigowaje.pdfIn PDF document text
    • https://s3.amazonaws.com/mubemutolewe/cisco_firepower_2110_data_sheet.pdfIn PDF document text
    • https://s3.amazonaws.com/dazifozixawus/vp_of_data_science_salary_san_francisco.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e4617d32-1736-4bd9-9d0f-18c14891fd46/central_route_to_persuasion_ads_examples.pdfIn PDF document text
    • https://s3.amazonaws.com/zetubakuz/fijemelosibizajezirode.pdfIn PDF document text
    • https://6baea7ca-81e4-4a11-8410-716433a99462.filesusr.com/ugd/764aaa_c6e7081019ab4e01ae2a9dd0b262794b.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/jenisozazewubo/71890211714.pdfIn PDF document text
    • https://s3.amazonaws.com/sinamozagemoger/indices_and_logarithms_exercises_and_answers.pdfIn PDF document text
    • https://089130c0-62ae-4bf1-a93c-656440fe8451.filesusr.com/ugd/738632_dec20ef4d6ba4f79a630cf5798c5f4c8.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f601.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF601 5332 bytes
SHA-256: 5685cbc05ae363c2990bb9fb5a443e25f7859c52cfb519f4690efac76745c580
font_01_sfnt_off00010802.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10802 10940 bytes
SHA-256: a859664f8658d81c811f1038fcb294ab644d1bd32953a41408f33020aa6f84a0