Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3e22f44875c3320…

MALICIOUS

PDF

82.9 KB Created: 2021-05-08 23:21:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 21057e5c6ad7c71a5f37f49574a5752d SHA-1: 7b53fb83c3c76a6c14f5e15d77af112fa5c71a76 SHA-256: f3e22f44875c3320f81b55f4b9c47955164cc6e95ce02524a4b8a03bd25f048a
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a significant number pointing to potentially malicious domains, indicative of a link farm or phishing campaign. The ML classifier and ClamAV detection strongly suggest malicious intent. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=how+to+connect+logitech+k400%252B+keyboard
    • http://swiss-gear.shop/mebuveruwupoxijanabegfgbwc.pdf
    • http://chambreapp.xyz/how_many_questions_are_on_the_cdl_class_a_general_knowledge_test1rhfy.pdf
    • http://bezprovodov.guru/fastlane_road_to_revenge_gameclwnw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b061ab05-1de4-4e7b-9a4a-815e703bec23/emerald_spire_columnar_crabapple_edmonton.pdf
    • https://uploads.strikinglycdn.com/files/367c1774-31b5-4984-9bff-8a4f14f92670/list_of_prime_numbers_1_to_500.pdf
    • http://lupumik.rf.gd/51977711082.pdf
    • https://b54663a3-ff9d-4122-b75c-69b71428c9b0.filesusr.com/ugd/cfa91a_99ad1c51b5744d8fbb22e51550636132.pdf?index=true
    • https://c183b790-cb34-49aa-848e-1a9f2b14dda3.filesusr.com/ugd/d8966e_6245a5538a1c4f69a92a6dc92b167eaf.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3f8fbeae-51dc-4f2a-8fc4-80cb2d095923/4456191788.pdf
    • https://4e33067b-0f13-4bed-bb9c-ea95f768fd7c.filesusr.com/ugd/23924c_b759590ffa44486c8a50cabe8e841a91.pdf?index=true
    • https://30621b86-6952-4b41-80af-4d24d830bc7c.filesusr.com/ugd/122077_e7dae35d3b69477ca5777ffbbe7fe682.pdf?index=true
    • https://5e9816b5-e261-4a84-a5c7-594b6999e1c8.filesusr.com/ugd/eb2f7d_78259bfa96614ce4b82276916ce0790e.pdf?index=true
    • http://wekidezeze.epizy.com/plague_inc_all_unlocked_apk_ios.pdf
    • https://22fea36a-5e19-4af1-b4aa-fe6e1efe0ee9.filesusr.com/ugd/b5a188_de11451773d342ccb5ac35998a02bde2.pdf?index=true
    • https://521a9f5b-5c7e-4f25-a9e4-5446fb1b1975.filesusr.com/ugd/c1a494_bc74e7b41d5b4b4781680ba6a93596fb.pdf?index=true
    • https://31e64076-56b3-4e53-9780-179364fbad2f.filesusr.com/ugd/d8d3cb_d0c5e2a5983f4f8db50a08bca5cbc854.pdf?index=true
    • https://44407f20-7244-4107-9544-84d8151b6f9a.filesusr.com/ugd/8508de_b1ba74c7fa7c4c22986977000f4ac42a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7be10a0c-1deb-4bba-bfb8-d2b9026c38de/azure_image_to_text_api.pdf
    • https://uploads.strikinglycdn.com/files/f4c7ce38-d305-4b05-b852-d2f79d284541/29605978898.pdf
    • https://uploads.strikinglycdn.com/files/64a09071-c6cd-49bf-a320-5f780acff257/98415437586.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fbc6.bin
85b852a646f632d06593cbf69921ec9f66ef13d20d4ec15b9f67a1a780006c3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBC6 5612 bytes
font_01_sfnt_off00010ef2.bin
f220e5287f4d52664cec0a2c4ab093d825273d9480fbc255c21dee5043e58408		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EF2 15852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.