Malicious PDF — malware analysis report

Static analysis result for SHA-256 f21df24a08df8bad…

MALICIOUS

PDF

87.5 KB Created: 2021-04-03 20:27:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 7199366ca960a08d498cf4de387b51c2 SHA-1: e111b9e0f477e7b87bd97cb9ae8b60e08a875f32 SHA-256: f21df24a08df8bad62ca2a1b3127633d34c34fa0a8bbf8c5beb6db06bc19da78
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. Heuristics indicate it uses a social engineering lure to prompt the user to install a browser extension or update, a common method for credential theft or malware delivery. The embedded URL `https://zajinet.ru/award?keyword=chuy%25E1%25BB%2583n+%25C4%2591%25E1%25BB%2595i+file+pdf+sang+jpg+online` is associated with this malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/award?keyword=chuy%25E1%25BB%2583n+%25C4%2591%25E1%25BB%2595i+file+pdf+sang+jpg+online PDF link annotation
    • http://update-win20.online/the_lord_of_the_rings_movies_vs_books431v1.pdfIn PDF document text
    • http://sweetmeet.online/sailing_made_easyzcpn3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4468531/normal_604f7a41beb5e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4466413/normal_600902102a4d4.pdfIn PDF document text
    • http://itdiscounts.pro/89633039152cya0b.pdfIn PDF document text
    • http://reduslimitaly-official.site/80454595469gtr2r.pdfIn PDF document text
    • http://idealslim-ordina.site/do_hotpoint_dryers_have_a_reset_buttonio38z.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4492900/normal_60321ea05b074.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ab12d6b-8272-48d6-8b66-fc180e2f3a4d/41664923012.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5530bd6a-eb5c-4685-be0a-6631b6944d45/xemejidubilemage.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f0687b5f-5e5f-4921-b506-b58a51d8d08e/tigonemol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/70e95b33-c78a-432a-b302-2f784ac53c96/43018607608.pdfIn PDF document text
    • https://s3.amazonaws.com/widetunipet/blank_receipt_template_doc.pdfIn PDF document text
    • https://s3.amazonaws.com/sinadi/itunes_12._10_2.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5d79293d-a6b1-49a0-8fca-1c21af234a77/introduction_to_commercial_law_book.pdfIn PDF document text
    • https://s3.amazonaws.com/davubewu/24392626719.pdfIn PDF document text
    • https://s3.amazonaws.com/mevuzokekenojab/josasisarol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/815522ab-2b8f-441e-b07a-e54ba7ac483e/49939725625.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e6739e49-0f5a-4ce8-81e9-804373584dcd/32576654857.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/adfcbef4-1555-4d7b-9130-f67f56bc61a2/clicker_garage_door_keypad_temporary_code.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/70f6e6eb-9714-4b58-b05a-c8f479c1f6b0/can_drinking_cause_belly_fat.pdfIn PDF document text
    • https://s3.amazonaws.com/wolawatin/88600756405.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc3e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDC3E 6568 bytes
SHA-256: 18f4960a52d64bc83d6c304eee4b25c9ca37eec54c0f4efd5701b5568bea1fd1
font_01_sfnt_off0000ec8d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEC8D 5856 bytes
SHA-256: 7554a10a580c54608333ff221ff939af0ae88d1584cd831f061d5805f6c37335
font_02_sfnt_off0000ffaa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFFAA 2468 bytes
SHA-256: 97eba41688159dda411f1b9098f7622d09f9f4ab19da262cd5bf7b279d1fd567
font_03_sfnt_off00010abe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10ABE 18904 bytes
SHA-256: 2dd5390de2418eb102184e42803770b2b0f1c5454e404ffebcc0d802fc0a642e
font_04_sfnt_off00013881.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13881 16036 bytes
SHA-256: 354dce64f07f3d7acdf6a04edf763950ffbfec4edcbb4bfe17b65a83544077bb

Open this report in the interactive analyzer, or submit your own file for analysis.