Malicious PDF — malware analysis report

Static analysis result for SHA-256 fde9e0040111e5a8…

MALICIOUS

PDF

82.4 KB Created: 2021-03-14 13:14:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-02
MD5: 83a3a827c04929ab76d4d412e032ac32 SHA-1: ecb9c0565fd41293818b14e64b526d64841351fe SHA-256: fde9e0040111e5a826c0001f923fa38a659df7f7ccd685b7fc6e6179c96f0d87
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable domains, suggesting a link farm or phishing campaign. The primary external URL, https://zajinet.ru/strik?utm_term=mass+state+building+code+8th+edition, is likely the intended destination for the user, possibly leading to further malicious content or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=mass+state+building+code+8th+edition PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4473031/normal_5fdc997cbdbe9.pdfIn PDF document text
    • https://cdn.sqhk.co/mofipife/hgjfjhY/offline_archery_games.pdfIn PDF document text
    • https://cdn.sqhk.co/zagakobafot/aUeOyN7/reledukifagusa.pdfIn PDF document text
    • https://cdn.sqhk.co/joxomawezu/wSa2Tjd/xijas.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4369524/normal_6002dfdec4cac.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://30621b86-6952-4b41-80af-4d24d830bc7c.filesusr.com/ugd/122077_c18a593744794d1caecd330d3291619d.pdf?index=trueIn PDF document text
    • https://f766a7e9-a0d0-4e3a-bf7c-946d2e8c2ff4.filesusr.com/ugd/bddb96_7de02af38cbc472ab92154a60c9be650.pdf?index=trueIn PDF document text
    • https://b73db3ac-2e3c-475a-83ab-7f4668f00a8f.filesusr.com/ugd/80e8fa_a6f9db1392b1402a98cdf7f2df2a1509.pdf?index=trueIn PDF document text
    • https://94ac7338-8c66-48ed-b7e4-01cccba3eff0.filesusr.com/ugd/9b8421_53d4ea543c3e4c45b3f8147f72fde759.pdf?index=trueIn PDF document text
    • https://562c2315-396f-49d1-9e45-1236e049cb13.filesusr.com/ugd/ec0012_416578c362c64eb09716861ea6a4e714.pdf?index=trueIn PDF document text
    • https://24218389-b518-4ca3-8548-65eaf758daa4.filesusr.com/ugd/c836c3_01e9bd28b4a245608fd5b0b0d9a5395e.pdf?index=trueIn PDF document text
    • https://3bcdeb60-9876-4d14-bc0a-1dd1632c647c.filesusr.com/ugd/16a96a_8f5b2dcb3b444be38107cac13f19bd8a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/e7997e79-3264-473e-b64b-e066470358de/pizekovepipabufitokabebe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a6e550a1-7d68-4dea-b5c4-1a1d05c4e7ee/the_fourth_way_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ff08182-de58-47a5-86f1-3f225b72bfb6/thoth_tarot_card_meanings_chariot.pdfIn PDF document text
    • https://cbb9655c-b60d-4095-8c1c-bb5f9a2903c5.filesusr.com/ugd/4dd980_c93202688adc4815989236bba976a73d.pdf?index=trueIn PDF document text
    • https://ffb80149-315c-4936-8637-e87477b606fc.filesusr.com/ugd/e7410d_c6487fa980704d838d299f62b0997d89.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/1caa0012-7bf4-4e4c-8fbc-1423bf85f396/2919917633.pdfIn PDF document text
    • https://1dfef493-bba3-4db0-89f7-7cef958ceea2.filesusr.com/ugd/3dbeb3_959f552f5246497e805abbc13db4a134.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/e592ff2e-ff11-4525-a391-6f4a7722bb6a/wonevipifabevopewoxumi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c867d378-5acb-4272-858c-d464a76c407d/93068728581.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001035b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1035B 5444 bytes
SHA-256: 4587274573c4a7762d07805d75d97c10833ab69c15ba7ef449af353ae04a3908
font_01_sfnt_off000115de.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x115DE 11376 bytes
SHA-256: 025436051f0c03d569285c630d90421e11bfc4674b3ff2f02aaeb032c19de3d0