Malicious PDF — malware analysis report

Static analysis result for SHA-256 251e574e414d8f95…

MALICIOUS

PDF

81.2 KB Created: 2021-03-06 09:43:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 08ee6c366d3db5c156cbc03454bb46f1 SHA-1: 77a3d12f6a8c683449fc2ee0cc4ce0e11a121b2f SHA-256: 251e574e414d8f9566bd6464bc6e245214df3eb25c85fc37058cf47c35fa8bbd
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as 'Pdf.Phishing.Trojan' and an ML classifier returned a high probability of maliciousness. It contains a large number of external links, many of which are to benign-looking PDF files, suggesting a link farm or SEO manipulation tactic. One of the embedded URIs, 'https://nipisod.ru/wix?keyword=icu+guidelines+india', is suspicious and likely serves as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=icu+guidelines+india
    • https://cdn.sqhk.co/fuvebopeweb/eGpzSvm/41506655929.pdf
    • https://static.s123-cdn-static.com/uploads/4411923/normal_6007d627ea879.pdf
    • https://cdn-cms.f-static.net/uploads/4405208/normal_5fd2c54e3e93d.pdf
    • https://static.s123-cdn-static.com/uploads/4407571/normal_5ff857082ece1.pdf
    • https://cdn-cms.f-static.net/uploads/4491933/normal_6020b6cb20345.pdf
    • https://cdn.sqhk.co/nexoratuxi/TTHFjfC/pokemon_home_mystery_gift_codes_2020.pdf
    • https://static.s123-cdn-static.com/uploads/4383128/normal_5fc6105b054f1.pdf
    • https://tubenuluni.weebly.com/uploads/1/3/1/4/131437864/bizat_sopeweliruf_xudebidakos_kewezuwo.pdf
    • https://fijojonibiw.weebly.com/uploads/1/3/2/6/132681787/bifinixejikosupora.pdf
    • https://vonewujin.weebly.com/uploads/1/3/1/3/131380349/kiwenufu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/c3e324d0-10e9-44e0-beb8-8dae9180f255/curse_of_the_crimson_throne_map_folio.pdf
    • https://uploads.strikinglycdn.com/files/ce5d697f-69df-40bd-8a8e-29a928ea92cb/does_dunkin_donuts_sugar_free_syrup_have_carbs.pdf
    • https://uploads.strikinglycdn.com/files/8d37b1ed-26d0-41e7-b29a-39b2fa268256/wozulejeva.pdf
    • https://uploads.strikinglycdn.com/files/4468a8cd-bfe7-4d6a-a4c5-3a5bd5c29f81/jelagesofebakemufojan.pdf
    • https://uploads.strikinglycdn.com/files/6e902700-f62c-4b40-a074-ad595373f64e/how_to_fix_print_cartridge_problem_hp.pdf
    • https://uploads.strikinglycdn.com/files/81d0de9a-5c60-4f29-9a1a-b04c24aebb4f/39964611134.pdf
    • https://uploads.strikinglycdn.com/files/81ab4bda-e789-44de-aab9-aa288a0a936c/58691622981.pdf
    • https://uploads.strikinglycdn.com/files/cb9a02c0-30c5-4e4c-a58c-6ef3e293b318/how_to_change_zoom_audio_settings_on_ipad.pdf
    • https://uploads.strikinglycdn.com/files/c7c8de78-ccc1-416b-9872-0d1a18d2caf3/which_tube_has_the_highest_lipase_activity.pdf
    • https://uploads.strikinglycdn.com/files/07eee1eb-1984-4d50-8edb-2bc52e27ea68/what_is_the_biggest_penguin_species.pdf
    • https://uploads.strikinglycdn.com/files/bbd65795-d253-4292-b2f8-f43371f0add8/man_the_unknown_book_in_hindi.pdf
    • https://uploads.strikinglycdn.com/files/4800b484-7ead-462e-b631-7214ff771ba6/lamizufi.pdf
    • https://uploads.strikinglycdn.com/files/d5996748-bcdf-4af0-8fa6-20182b9df5e9/70967095996.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f60e.bin
bfe0dc153681097767a502500e951f35b52152a5902aa9a12f1749480de4b764		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF60E 4640 bytes
font_01_sfnt_off000105cc.bin
0388d86e67eadd40721ad8626ecba854b14fc313ec861660e9449a22cdeb1ddd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105CC 10424 bytes
font_02_sfnt_off0001295e.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1295E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.