Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3423af38a0dbcff…

MALICIOUS

PDF

77.7 KB Created: 2021-04-09 04:11:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: a2a5e7420cc124ee5a7ebc86cd132e74 SHA-1: 6cdb45586a8be983d9b3012160aeaca3bc62c4f8 SHA-256: c3423af38a0dbcffd07901a64ebe24f8586c0d1e7987da350ddcfe80d1f28098
226 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are algorithmically generated and hosted on disposable domains, indicating a link farm designed to distribute malicious content. One such link, http://privateguardingserviceagainstdanger.site/ms_project_online_trial7n2w2.pdf, is directly flagged as a PDF link to a malicious URL. The document body, though partially corrupted, suggests a lure related to 'interview questions for technical support analyst'. The presence of ClamAV detection and ML classification further supports its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/strik?utm_term=interview+questions+for+technical+support+analyst PDF link annotation
    • https://cdn.sqhk.co/letarezetap/gchdjaG/lolegafofapolad.pdfIn PDF document text
    • http://life-news.tech/planbook_plus_loginzzg8x.pdfIn PDF document text
    • http://privateguardingserviceagainstdanger.site/ms_project_online_trial7n2w2.pdfIn PDF document text
    • http://lightly.store/chickie_and_pete_s_nutrition_guidejo9et.pdfIn PDF document text
    • https://cdn.sqhk.co/tamaladafa/hak3PNT/home_makeover_hidden_object_game_free_download.pdfIn PDF document text
    • https://cdn.sqhk.co/tojorovexuw/b6H4jiz/bypass_frp_09_2016_android_6_apk.pdfIn PDF document text
    • http://fullstacket.online/batiwewidetupewqvfum.pdfIn PDF document text
    • http://e-devletodeme.net/eyelash_extension_training_online_cheapkx2zb.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b6a56b49-5713-40ec-84d5-0f722dd20b4e/11252935179.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/327fae43-79e3-40d5-a7a8-2ea0ca720464/xarinonopazudivir.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf7c70e5-0003-4b91-ac9f-412dbe23885e/buketafujoloxemimexepawe.pdfIn PDF document text
    • https://4be8a7ba-6c9a-47a4-99fc-a5961b41a404.filesusr.com/ugd/132250_7e92635cf0614d64a375041df7d05920.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/dd2ce471-04d4-4ede-b153-6597230537ae/how_to_program_rca_universal_remote_to_toshiba_tv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/53b53b39-def5-43f1-8bbd-17840b10c2b3/89952478322.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1bc86e21-e486-458b-994e-b9016bff6855/28395093906.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e42f437c-e887-4a35-98fd-e93a27a62e92/67358109168.pdfIn PDF document text
    • https://83372c7a-1065-4b07-8284-b64562b46e84.filesusr.com/ugd/035489_d8db12afa5f44d0bb46c8c211a4f012a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/e1470e19-ff31-48f6-a56d-742e5d41b34a/does_fitbit_track_jump_rope.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/00504831-3255-4b14-a7a9-e45080a6901d/vifudigifi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/67493004-1497-4fae-b047-a9c0a1a13c86/webogid.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/790916c7-130a-4b93-bdcb-6767600272e0/62172275305.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc1b7119-05c0-4149-be5f-e8b38f93a29e/wiserirafe.pdfIn PDF document text
    • https://ff9dba89-6132-4485-99c2-ace8a2453124.filesusr.com/ugd/c3f59f_efe13eae19e64feaaddcbd4f350663b1.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/d33e2cf3-dcbb-4c54-a0ee-0bf5759c9377/44171780296.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7a5dcb65-45e7-4633-95a1-23d1b977dfb8/nazm_hikmet_ak_szleri_ksa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/680a01af-63dc-4730-9baf-82807ad6d56c/musical_scripts.pdfIn PDF document text
    • https://528f6e5c-6927-42ef-b7a5-a8f9c349750c.filesusr.com/ugd/07b979_ebab6029eac1428ca5c5bad34526bd44.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f178.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF178 5420 bytes
SHA-256: 284dfd714e0e755ffc5357ccfdd6e7a7a366050ccfe92e496e2cbc092e572ded
font_01_sfnt_off00010409.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10409 10808 bytes
SHA-256: e8117c66d0e7d982f6b407eddfd048079b5ea76441df9c25314d899a5d94ab6e

Open this report in the interactive analyzer, or submit your own file for analysis.