Malicious PDF — malware analysis report

Static analysis result for SHA-256 230a8d74b59fb49c…

MALICIOUS

PDF

87.7 KB Created: 2021-03-20 22:34:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fb0131249085c65d1eb33a5cd82f80c4 SHA-1: ed06f9ee4bc9c131707dc8cdbefe08afd29e807c SHA-256: 230a8d74b59fb49c34038a38501b74fee6acdddf0b4d292aa8dbeee809517974
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous external URIs, many hosted on disposable domains, indicating a link farm designed to obscure the true malicious destination. The ML classifier strongly flagged this PDF as malicious, and the presence of a 'download button' heuristic further supports a deceptive download lure. The primary malicious URL identified is https://pelibifir.ru/123?utm_term=zipgrade+answer+sheet+40.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 5

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=zipgrade+answer+sheet+40
    • http://rubewox.sportsontheweb.net/britax_marathon_weight_limit_latch.pdf
    • http://popapirim.22web.org/pathfinder_kingmaker_companions_classes.pdf
    • http://nutunajika.66ghz.com/wanonukesa.pdf
    • http://uchebnoe.website/are_all_zojirushi_rice_cookers_made_in_japant03h3.pdf
    • http://tokigarodam.22web.org/biletogivonipuxidoru.pdf
    • http://aviabileti.ru/vasoluraoo98a.pdf
    • http://bibivire.mygamesonline.org/what_does_credit_terms_2_10_n_30_mean.pdf
    • http://bestunew.xyz/96210531721py7xw.pdf
    • http://luwogexejel.getenjoyment.net/how_to_read_pmbok_6th_edition.pdf
    • http://lalexejiwisejul.iblogger.org/gatudonux.pdf
    • http://volulolusawaz.mygamesonline.org/walubediborutabomakonupa.pdf
    • http://openlait.pro/reading_and_writing_k12q8sv9.pdf
    • http://phillipen.online/lixigemalipewaai9hd.pdf
    • http://vikiduxa.mywebcommunity.org/39030722718.pdf
    • http://winoxolupuvil.getenjoyment.net/putipafiwuv.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://e79dab91-b8ca-4f03-a7cf-74564eaa1d8a.filesusr.com/ugd/009cd4_867345aab783442faa6dcc8b2f4764aa.pdf?index=true
    • http://fukatotapi.epizy.com/biosphere_2_information.pdf
    • http://lelobuz.rf.gd/sharon_rogers_dark_star_uniform.pdf
    • https://06e27459-8a58-4d01-a48e-f853eab966f6.filesusr.com/ugd/55f1a0_55fc121c2abb455fb1264b25a94b3a94.pdf?index=true
    • http://zukagebogewivur.epizy.com/minecraft_thermal_expansion_5_guide.pdf
    • http://kuwaxubopuzar.rf.gd/la_boite_a_merveilles.pdf
    • https://aa4de0c4-a7fb-47f6-97fe-5721705e71c1.filesusr.com/ugd/824332_9c66a0a283d847448cb6d2fc3f2763ae.pdf?index=true
    • http://rurebafib.onlinewebshop.net/12977155780.pdf
    • https://c4a5d104-04f9-44e6-b03f-1f5edac3680f.filesusr.com/ugd/f23921_8add5d7ae41c4daab5895ea68241f6f6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee29.bin
ffa10ef3dd35f1e1f2f848bb721bcf4754cb236097fcd0054926979984dc26db		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE29 5144 bytes
font_01_sfnt_off0000ffae.bin
8f4e79fcf64b32bee36ad6e8487e32dc99053be01dfb5b89463df537676275db		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFAE 11572 bytes
font_02_sfnt_off00012764.bin
d25d10848e2f577f2c573adda33d8798141058ddea7f156a8f7d532b3b09d5c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12764 17500 bytes
font_03_sfnt_off00014122.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14122 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.