Malicious PDF — malware analysis report

Static analysis result for SHA-256 b94b046f3f792aab…

MALICIOUS

PDF

81.7 KB Created: 2021-04-08 08:33:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: e2df651b61e582d73bff4a66d4f86df4 SHA-1: 21e7023dbf4099d658570411eaf17e8bee68bcb9 SHA-256: b94b046f3f792aab927c94f1a4418763338a92467e395c9eb5f0fdb338e7dccf
234 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous external links, many pointing to disposable hosting, suggesting a link farm designed to distribute malware. The presence of a 'download button' lure and a 'password-protected archive' hint strongly towards a phishing or social engineering attack. ClamAV detection and ML classification confirm the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/123?utm_term=android+file+browser+open+source PDF link annotation
    • https://cdn.sqhk.co/tororukiwuri/jeGrjjv/google_assistant_voice_shortcuts.pdfIn PDF document text
    • http://kitixukizogutik.mygamesonline.org/mesulemulebalavem.pdfIn PDF document text
    • http://wotasabe.22web.org/46744239155.pdfIn PDF document text
    • https://cdn.sqhk.co/wugolekufo/2Hiihjl/vopezegatalaze.pdfIn PDF document text
    • https://cdn.sqhk.co/mixaluwekitu/diasiIK/star_realms_advanced_strategy.pdfIn PDF document text
    • http://ninijefaligogi.mygamesonline.org/holt_chemistry_textbook_teacher_edition.pdfIn PDF document text
    • https://cdn.sqhk.co/vizelupavew/jiihjgs/life_is_strange_chloe_tattoo_meaning.pdfIn PDF document text
    • http://dudodew.iblogger.org/99598267121.pdfIn PDF document text
    • http://gofesirukuzud.22web.org/chiltons_repair_manual.pdfIn PDF document text
    • http://jisuvakuwiraza.medianewsonline.com/anomie_theory_of_crime.pdfIn PDF document text
    • https://gewipilozu.weebly.com/uploads/1/3/0/7/130775211/laxalo.pdfIn PDF document text
    • https://cdn.sqhk.co/rasetiwulipu/ehiieib/pegokiforabudukak.pdfIn PDF document text
    • https://cdn.sqhk.co/zadoweferoxe/ibhimXH/venabupogobaxisusele.pdfIn PDF document text
    • https://zalajugimawif.weebly.com/uploads/1/3/0/7/130739284/fc22bf93d.pdfIn PDF document text
    • https://xafuzijinole.weebly.com/uploads/1/3/4/6/134667747/xuwasepedifigiti.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://vibizif.epizy.com/biela_y_manivela.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/24a75a54-6105-42dd-9309-ca931c2e1418/68834540395.pdfIn PDF document text
    • http://mugazukadum.onlinewebshop.net/what_penny_stocks_are_on_robinhood.pdfIn PDF document text
    • http://gizoronof.epizy.com/romance_of_the_three_kingdoms_14_switch.pdfIn PDF document text
    • http://kozogasivufi.myartsonline.com/in_search_of_lost_time_marcel_proust.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/34872922-a4d3-4565-92f0-9bd4ed8e66b3/42928707367.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010117.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10117 5160 bytes
SHA-256: f28d3b461e4c6fcfdd256f2cc30e20c06b922a73ae2e679455b010e5f87b8775
font_01_sfnt_off000112c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x112C7 11280 bytes
SHA-256: 8f11b4f5cac00609b4711b6d1e55f7f33cfc5cce736794325fc94a3f55b6f3cf