Malicious PDF — malware analysis report

Static analysis result for SHA-256 0bffde1cc6d900ef…

MALICIOUS

PDF

84.8 KB Created: 2021-03-29 09:20:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b1057e2cbcf2ea44e539cb12a0db3f54 SHA-1: 83a89b1aa35b0552caee67ff9392cd5d2ccfacd5 SHA-256: 0bffde1cc6d900ef517ee206ca5db81a008987a8185f450e981bef272325b11c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is classified as malicious, likely a phishing or link-farming attempt. It contains numerous external links, including one to 'nipisod.ru', suggesting it's designed to redirect users to potentially harmful websites. The document's content is obfuscated and appears to be generated by wkhtmltopdf, further indicating a non-standard or malicious purpose.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=elimination+and+substitution+review+worksheet
    • https://cdn.sqhk.co/gewewoturila/v1hh0hn/electronic_component_suppliers.pdf
    • http://goldstein.berlin/9236792504zoy7y.pdf
    • http://belixawotid.66ghz.com/bikufilenuxomewo.pdf
    • https://cdn.sqhk.co/devisofage/ixibgcE/47461544135.pdf
    • https://cdn.sqhk.co/lijipatalenu/gdzhiib/netflix_series_formula_1_drive_to_survive.pdf
    • http://dwatches.site/20669065701v8moo.pdf
    • http://goossyy.online/gulegiwekivuval0vim.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/508db3b3-5c70-4d81-9878-04e7b16c0e63/guxuzokenuvetubes.pdf
    • http://rebukupomapet.rf.gd/klasifikasi_cacing_tanah_menurut_ekologi.pdf
    • https://b54663a3-ff9d-4122-b75c-69b71428c9b0.filesusr.com/ugd/cfa91a_753314ec89664f1c979d6c7406094ceb.pdf?index=true
    • https://f2d828cf-06d9-46ea-85af-d88b0bc20d44.filesusr.com/ugd/501a20_42c26de9444640bfaf9d92b950dbf2ed.pdf?index=true
    • https://704d67de-a0ba-412a-a77d-f8c4cf0d88a3.filesusr.com/ugd/a83d94_48f2bb7ea3e04ace9f20e4c25f01a0be.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8df20da4-0740-4d33-a236-208f54ecef7c/melubuwefizidowo.pdf
    • https://uploads.strikinglycdn.com/files/e74115c7-d33f-43d6-8316-841657f76223/samsung_mu7000_hdmi_2.1.pdf
    • http://rusevajubaje.epizy.com/59241805433.pdf
    • http://vipowiso.epizy.com/multiplication_of_fractions_worksheets_with_answers.pdf
    • https://80820154-e864-4b0c-832b-212b24169927.filesusr.com/ugd/c12414_d559dbe07a7d439495b890e960cb4bd9.pdf?index=true
    • https://2daccc73-8708-4113-a26a-4f38906335d9.filesusr.com/ugd/f65175_5e1ab18073b449c185e6a2a8b9f78fd2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0f903d87-e559-4024-863b-7c7fcf73bd4e/why_is_my_internet_flashing_orange.pdf
    • https://uploads.strikinglycdn.com/files/f0d2ac94-fefb-4184-ad24-2ad0e22a42ae/10223625559.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e98d.bin
50ab7d913b4a1bab7552f0626828263d16a8879b8b05c98c91336bc0d537636b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE98D 5260 bytes
font_01_sfnt_off0000fb4b.bin
df805cae7347917df92720ae53431c9025bb82cc2e4e3883387ffc6093965c10		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB4B 11476 bytes
font_02_sfnt_off00012292.bin
e9fe716c2abc985b12a899a49d5539e4e8be1b56d50c083b30290d85a2a7c848		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12292 16092 bytes
font_03_sfnt_off0001375a.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1375A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.