Malicious PDF — malware analysis report

Static analysis result for SHA-256 faec644a269f30ea…

MALICIOUS

PDF

73.8 KB Created: 2021-06-09 12:24:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 361864e041d8f31737ae5e503c188fbc SHA-1: afd340a71996bfd23fd8372d2f757e3384df01ee SHA-256: faec644a269f30eaa5f22ce41c34eac912c43466f6f500b211a2fbf29dbe2b54
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing for a link farm, specifically targeting users searching for 'instant followers apk'. It also includes an external URI pointing to a suspicious domain, likely part of this lure. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan. Although no scripts were explicitly extracted, the PDF structure and embedded links suggest it's designed to redirect users to malicious sites, potentially for further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/pbw?utm_term=instant+followers+apk
    • https://paseboke.weebly.com/uploads/1/3/4/4/134432883/muwafuro_xumowefijo_jedaguzazitil.pdf
    • https://cdn-cms.f-static.net/uploads/4426679/normal_602e20fa764cd.pdf
    • https://litexude.weebly.com/uploads/1/3/4/5/134592330/bbd1324d7c3a.pdf
    • https://jibidamo.weebly.com/uploads/1/3/5/3/135337573/fusag.pdf
    • https://cdn-cms.f-static.net/uploads/4425491/normal_5fd2df58bc788.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://mavawakuto.pbworks.com/f/maths_formulas_for_class_12_state_board.pdf
    • https://uploads.strikinglycdn.com/files/98acf6de-ddda-4d44-a611-bf90700e8502/sinopsis_del_cuento_la_mascara_de_la_muerte_roja.pdf
    • https://uploads.strikinglycdn.com/files/bd047c36-5d5c-4082-9b0c-7464165bb426/orbit_easy_dial_4_station_user_manual.pdf
    • http://zupelapowi.pbworks.com/w/file/fetch/144630132/lego_ninjago_season_14_episode_5_english_release_date.pdf
    • https://uploads.strikinglycdn.com/files/df58800a-981c-4cd6-aeea-74fb3cd984bf/musical_notes_names_do_re_mi.pdf
    • https://uploads.strikinglycdn.com/files/240f48e5-182d-4588-b29f-06fc3936305e/how_to_reset_code_on_ge_simon_xt.pdf
    • https://uploads.strikinglycdn.com/files/7ed552d9-2175-4d17-bad8-588f4e677caa/38121066753.pdf
    • http://jebodigezev.pbworks.com/w/file/fetch/144783978/mark_levine_jazz_theory_book_download.pdf
    • https://uploads.strikinglycdn.com/files/a2d10cec-2269-4cb5-aa14-606b18643c1b/what_are_the_vizio_remote_codes.pdf
    • https://uploads.strikinglycdn.com/files/c1c4603c-7aa6-4a28-ae2b-308781b04319/marvel_super_heroes_2_free_download.pdf
    • http://vibevekofano.pbworks.com/w/file/fetch/144655581/89561572823.pdf
    • https://uploads.strikinglycdn.com/files/3c572d1b-e641-4c36-9851-80217291ad72/28828906852.pdf
    • https://uploads.strikinglycdn.com/files/cb750a37-f8d6-4428-9f55-fa7402096bc6/singing_lessons_for_little_singers_level_a.pdf
    • https://uploads.strikinglycdn.com/files/9392763b-ca2d-4aa8-9d3a-45bf7f3b20e1/gilobeputarivosakeguked.pdf
    • http://fatakalewene.pbworks.com/f/mixed_tenses_exercises_with_answers_advanced.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2db.bin
873a9d2f72be871e9cac0727dacd8a9686a76642a60eefbdb5b90be628b0269a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2DB 4988 bytes
font_01_sfnt_off0000f3f9.bin
f95b3cd9d39461123dac0a9c34bf4cb0fb2f13a4fefea46ac147ec3f17f69798		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3F9 11272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.