Malicious PDF — malware analysis report

Static analysis result for SHA-256 f30277adb4eb7e7d…

MALICIOUS

PDF

285.4 KB Created: 2021-03-28 22:37:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-23
MD5: 7ca62dff7730f28d293fc0bf1451aeef SHA-1: bc5f7456456c1f016015ec27d7e3d07f6b3890e2 SHA-256: f30277adb4eb7e7d8c8e6f95cccd7586b7f8d1d8bed7937ae14dc3c4e05387d0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links to known malicious redirector infrastructure, specifically `https://yafferge.ru/award?keyword=crimson+dragon+slayer+pdf`. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it's designed to trick users into visiting a malicious site, likely for phishing or to download a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9895

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/award?keyword=crimson+dragon+slayer+pdf In PDF document text
    • https://cdn.sqhk.co/webuzifinuno/vhjEhsj/rajogupigup.pdfIn PDF document text
    • https://cdn.sqhk.co/tutabalero/jbgjjjg/telilibuxadeji.pdfIn PDF document text
    • https://cdn.sqhk.co/pomiziluda/gghggi9/18147713344.pdfIn PDF document text
    • http://qrettalq.online/39418900549iiudd.pdfIn PDF document text
    • https://cdn.sqhk.co/tewokozogop/kDUjg7t/kefoxipis.pdfIn PDF document text
    • https://cdn.sqhk.co/vekuzajomugi/idgcGK2/piwabipiperosafuto.pdfIn PDF document text
    • http://vuwimoxit.mygamesonline.org/accounting_illustrated_dictionary.pdfIn PDF document text
    • http://bbflowers.net/primalcraft_cubes_craft_and_survive_gameesy7o.pdfIn PDF document text
    • http://lorubuxetorifa.medianewsonline.com/autocad_civil_3d_tutorial_youtube.pdfIn PDF document text
    • http://labifovejes.mypressonline.com/xurox.pdfIn PDF document text
    • http://ruzamaji.getenjoyment.net/bhaktamar_stotra_gujarati_free_download.pdfIn PDF document text
    • https://cdn.sqhk.co/mujawiru/KIhhShh/64487739353.pdfIn PDF document text
    • https://cdn.sqhk.co/piwuzuberaze/ghqSkhg/jazatax.pdfIn PDF document text
    • http://wekeb.space/incomedia_website_x5_professional_20197jpkg.pdfIn PDF document text
    • https://cdn.sqhk.co/puzadowoke/v16kCic/90411774988.pdfIn PDF document text
    • http://batut.space/bowling_scoring_practice_worksheetc3c85.pdfIn PDF document text
    • https://cdn.sqhk.co/javukapegami/c3iegeD/brilliant_dictionary_meaning.pdfIn PDF document text
    • http://changepass.online/cnet_speed_test6xp8t.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://0aa989e7-076c-475f-bc22-fff5ae310860.filesusr.com/ugd/b44be6_6e621bd1ea1d4e11989e412b03ffa482.pdf?index=trueIn PDF document text
    • http://tavamikilav.myartsonline.com/muxojemawawabuduralebuz.pdfIn PDF document text
    • https://27a83426-c768-4525-a63d-b5b732cca755.filesusr.com/ugd/28b3f7_428a39732fc74250977e69270b007cdd.pdf?index=trueIn PDF document text
    • https://409b2d23-5c1d-402e-97df-26c0da9299b0.filesusr.com/ugd/2e3d42_39aa6192fe574f2894e4838535c8d33b.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003695c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3695C 66496 bytes
SHA-256: 1e4bb9df3e3834a2c7a7c4eb2818af828f058c07daaa5c1cdfce7a2ab09a0de7
font_01_sfnt_off00042ffd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x42FFD 5368 bytes
SHA-256: ec8d1e97b7abd89502babae7c77baafe1b6615ff603d57522c52b2069836f02e
font_02_sfnt_off0004422d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4422D 11168 bytes
SHA-256: e36ad6ca103529697da415b0cdaa4a17f94729f1092d8c82dab150909588a1eb

Open this report in the interactive analyzer, or submit your own file for analysis.