Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3896c510caf94e3…

MALICIOUS

PDF

81.0 KB Created: 2021-03-31 04:26:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 613478c6271e0a363216a35339a61c1d SHA-1: 61a87e3544a00c1a581ad5860fe6d7ec90f1f6e0 SHA-256: c3896c510caf94e370ab46dfc015cb70706cd891178ce89f9a65f1ad4414f3dd
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF was flagged by multiple heuristics as suspicious, including an invisible link to a suspicious domain and a link farm on disposable hosting. The ML classifier and ClamAV also identified it as malicious, specifically as a phishing trojan. The embedded URLs suggest a phishing or malware distribution attempt, likely using a lure to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/strik?utm_term=a+game+of+thrones+book+chapter+summary PDF link annotation
    • http://dhl-order.info/sherlock_holmes_the_emerald_crown_espaoli5d9o.pdfIn PDF document text
    • http://zozegakipuvi.iblogger.org/platform_definition_in_tagalog.pdfIn PDF document text
    • http://visionnew.xyz/150237531014kf0g.pdfIn PDF document text
    • http://gouliwer.online/wenumonabalobazanusiym68.pdfIn PDF document text
    • http://ninefukesat.iblogger.org/kjv_apocrypha_concordance.pdfIn PDF document text
    • http://streichpack.online/viwujezarl5ac.pdfIn PDF document text
    • http://swiss-gear.shop/figuvopefif4agu6.pdfIn PDF document text
    • http://rmk4sale.xyz/functional_programming_in_python_oreillypiwft.pdfIn PDF document text
    • http://study-english-02.space/18989364904bwpza.pdfIn PDF document text
    • http://temilops.xyz/maravilloso_desastre_pelcula_2018ggut6.pdfIn PDF document text
    • http://consequences.space/zovosatupanubobalozudinuc4e8.pdfIn PDF document text
    • http://managerprogram.live/fozunoxubopudoxeaql.pdfIn PDF document text
    • http://basijinogasa.22web.org/71730964892.pdfIn PDF document text
    • http://hookup757.fun/zefutisiyfmsd.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://9e9203d9-9f5b-42f2-a849-05e42d741f90.filesusr.com/ugd/3527d5_ac61159113e744c4b0b459a7f3508d79.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/07f2d931-3faa-4683-8922-150adae17d8e/the_ultimate_guide_to_tarot_a_beginners_guide_to_the_cards.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2b73e5ff-4258-4c13-a1e9-b2da5882ddf0/lifezesiwodup.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bab0e751-ee11-4c2f-99e1-80ac886af977/5641542135.pdfIn PDF document text
    • https://144ece88-722e-4d59-a9d1-ae16887514c2.filesusr.com/ugd/48b17f_aefe096bb8674cb9ad808239759f62a0.pdf?index=trueIn PDF document text
    • http://lotumimo.epizy.com/vulewapebekiradavugageva.pdfIn PDF document text
    • https://9005981c-20a7-4b93-9dfe-a591c0bc6fcf.filesusr.com/ugd/afbba5_f0824eee65904d57aa0a70853c739df5.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd8f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD8F 5692 bytes
SHA-256: c7f7e4e10595d686f0345637eaa59429ece4ea73886d681a50ea1f663d6ab89a
font_01_sfnt_off000110d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x110D9 11156 bytes
SHA-256: d4fe0a1abf1fdf74390d3539036f39e4f472a7e6bbcc8a93a22e1710fc64f282