Malicious PDF — malware analysis report

Static analysis result for SHA-256 55a38798306a7205…

MALICIOUS

PDF

58.6 KB Created: 2021-03-20 16:26:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 100dc39f7d17d76105736a2b3e199cf3 SHA-1: 82e9c44b009fd8573c4a906a1d841f275a0e94ce SHA-256: 55a38798306a7205fcbaca9a8d19681b290f2fb1cbcb3bf4d11fd82e3cd9e385
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file that contains numerous external links, many hosted on disposable domains, suggesting a link farm or SEO spam campaign. ClamAV detected it as Pdf.Phishing.Trojan, and ML classifiers also flagged it as malicious. The embedded URLs, such as 'https://nipisod.ru/award?keyword=verbal+vs+non+verbal+communication+pdf', are likely used to redirect users to malicious sites. No scripts were extracted, but the PDF structure and link farm behavior are indicative of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9468

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=verbal+vs+non+verbal+communication+pdf
    • https://rigawegafo.weebly.com/uploads/1/3/4/5/134587157/vikuxezax-salaxifodelufel-zosunurob-nenirulap.pdf
    • https://cdn-cms.f-static.net/uploads/4422134/normal_601dbd5e7702f.pdf
    • https://gizazegixewaner.weebly.com/uploads/1/3/4/5/134596748/6062531.pdf
    • https://nulepapilix.weebly.com/uploads/1/3/5/9/135957677/6094182.pdf
    • http://pusewuvi.medianewsonline.com/bryant_plus_90_secondary_heat_exchanger.pdf
    • https://tatelemu.weebly.com/uploads/1/3/1/1/131164239/juxamazezusunosorulo.pdf
    • https://baputopozim.weebly.com/uploads/1/3/5/3/135336161/cb4b86249cb.pdf
    • https://cdn-cms.f-static.net/uploads/4365601/normal_604e6d3124eb1.pdf
    • https://cdn-cms.f-static.net/uploads/4382408/normal_604b8196b1a8e.pdf
    • http://xirijapip.mypressonline.com/single_column_cash_book_problems_and_solutions.pdf
    • https://rokajovata.weebly.com/uploads/1/3/4/3/134376264/xitim.pdf
    • https://sinipipa.weebly.com/uploads/1/3/0/8/130874509/1157890.pdf
    • https://sozizupisez.weebly.com/uploads/1/3/1/8/131872239/71cae559d5779.pdf
    • https://cdn-cms.f-static.net/uploads/4483604/normal_6042b611e4262.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://0d3c4653-ec4b-4b04-9c20-59e348ba858e.filesusr.com/ugd/62200f_76beb94f14ec47498fd34809384c1cf0.pdf?index=true
    • https://0029a690-d003-4268-bdc7-e74daa5a0415.filesusr.com/ugd/a4b355_9b98d15626834c048c5fd70083f2658b.pdf?index=true
    • https://2ed9768e-82a7-41f7-bc91-4b86d8d7aa0f.filesusr.com/ugd/bdbd91_0f3c1ecf7b3a42c7aca04c63421fdea2.pdf?index=true
    • https://a3720f92-bdaa-4449-a3ff-14f36884d2d5.filesusr.com/ugd/afadc3_e2b6111816944e49b04a75cfbcc2b5e4.pdf?index=true
    • https://ca30e0e0-ecf2-44ab-b6a2-fe26291458be.filesusr.com/ugd/34e21e_196d50a40fb547668a06828246b7af4b.pdf?index=true
    • https://18e99e0c-7034-4a8c-9069-267580a295b8.filesusr.com/ugd/b337f5_633a8502d44b4fe39bef79859bf6b4da.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dac9.bin
b970e9355e0a79aa1d91c6eda21911342af93f6ab25464537fa312714905252b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDAC9 5464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.