Malicious PDF — malware analysis report

Static analysis result for SHA-256 255ad0c789f4cdff…

MALICIOUS

PDF

191.7 KB Created: 2018-04-25 17:58:29 +03:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2021-09-24
MD5: c119a351d4481f7b73872107492355c5 SHA-1: 9475c9212ddf3fe6c684ad8aebb4725ef5dce04d SHA-256: 255ad0c789f4cdffb4b96d4d2abb7cf329322639d783dfe0c093b71ae28e64bf
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links, many of which are hosted on disposable domains and advertise cracked software, indicating a lure for users seeking illicit software. The ML classifier strongly flagged this PDF as malicious, and an external URI was detected pointing to a suspicious domain. While no scripts were extracted, the document's structure and embedded links suggest it is designed to redirect users to malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9886

Heuristics 4

  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://renimba.info/wp1?keyword=%D0%B3%D0%B4%D0%B7+%D0%B0%D0%BB%D0%B3%D0%B5%D0%B1%D1%80%D0%B0+10+%D0%BA%D0%BB%D0%B0%D1%81%D1%81+%D0%B0%D0%BB%D0%B8%D0%BC%D0%BE%D0%B2+%D0%BA%D0%BE%D0%BB%D1%8F%D0%B3%D0%B8%D0%BD+%D1%81%D0%B8%D0%B4%D0%BE%D1%80%D0%BE%D0%B2+%D1%84%D0%B5%D0%B4%D0%BE%D1%80%D0%BE%D0%B2%D0%B0+%D1%88%D0%B0%D0%B1%D1%83%D0%BD%D0%B8%D0%BD+%D0%B3%D0%B4%D0%B7 PDF link annotation
    • https://boymemtoma1970.files.wordpress.com/2018/04/wakonupuv-prints-shchelkunchik-torrent-nizolibijezeta.pdfIn PDF document text
    • https://killhinlikid1987.files.wordpress.com/2018/04/bifoko-shkala-perevoda-ballov-ege-2017-matematika-profilnyi-uroven-otsenka-vumupo.pdfIn PDF document text
    • https://manryleramb1975.files.wordpress.com/2018/04/rozowaloserig-epsxe-1-9-0-rus-skachat-torrent-besplatno-wipoxotul.pdfIn PDF document text
    • https://killhinlikid1987.files.wordpress.com/2018/04/kukidedo-nokia-225-draivera-1011-wugulaviziben.pdfIn PDF document text
    • https://hyapuwatchre1980.files.wordpress.com/2018/04/jinawumele-kontrolnaia-po-matematike-6-klass-umnozhenie-drobei-merzliak-nojegarune.pdfIn PDF document text
    • https://img0.liveinternet.ru/images/attach/d/0//5910/5910834_medikuangliiskiiiazyk2klassavtorbykovagdzfubunal.pdfIn PDF document text
    • https://rimervikab1977.files.wordpress.com/2018/04/jalixali-gdz-po-angl-millenium-10-klass-zogapulifewole.pdfIn PDF document text
    • https://img0.liveinternet.ru/images/attach/d/0//5906/5906179_suvugegdz9klassrusskiiiazykrazumovskaia2014goddixes.pdfIn PDF document text
    • https://eridprasar1975.files.wordpress.com/2018/04/fexulus-gdz-ot-putina-7-klass-russkii-iazyk-razumovskaia-rixuvul.pdfIn PDF document text
    • https://cirrgeekbgosen1984.files.wordpress.com/2018/04/biwiwajuzenonor-gdz-8-klass-biologiia-laboratornye-raboty-voneriji.pdfIn PDF document text
    • https://inpetfipen1982.files.wordpress.com/2018/04/pajonugex-kz-04-kontroller-ogranicheniia-dostupa-k-bankomatu-instruktsiia-nakam.pdfIn PDF document text
    • https://rlinekabet1989.files.wordpress.com/2018/04/marajuko-pluraleyes-3-5-torrent-sony-vegas-dunegig.pdfIn PDF document text
    • https://glutirtanria1971.files.wordpress.com/2018/04/wadutuw-gdz-po-angliiskomu-5-klass-uchebnik-starlait-baranova-2015-kolurakonofano.pdfIn PDF document text
    • https://digimvaze1975.files.wordpress.com/2018/04/ganulokivuxo-gdz-matematika-5-klass-merzliak-chast-2-barirabixerod.pdfIn PDF document text
    • https://alluhoscard1974.files.wordpress.com/2018/04/gerus-prilozhenie-fogeim-skachat-besplatno-diwogugixum.pdfIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000a4c5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA4C5 1485561 bytes
SHA-256: 1718db8b7c6a44712dc1b3acee434281abf7527ebf6ea299260c2277eb5af585