Malicious PDF — malware analysis report

Static analysis result for SHA-256 572743d68a8d8589…

MALICIOUS

PDF

107.8 KB Created: 2021-03-14 23:50:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f0b98732ebe2ccbe87a03c146e4ed732 SHA-1: f97916de95fa4605d1461b8bf6c1e7188f3d5eff SHA-256: 572743d68a8d8589a55ec2968c26928a166900eb207d1614b4d462903c373847
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, many of which are disguised as legal documents, suggesting a link farm or phishing lure. The primary malicious URL identified is https://nipisod.ru/award?keyword=allahabad+high+court+judgement+on+ram+janmabhoomi+pdf.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9435

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=allahabad+high+court+judgement+on+ram+janmabhoomi+pdf
    • https://cdn.sqhk.co/xarozowuzosa/C1EhipV/royal_robots_battleground_game.pdf
    • https://cdn.sqhk.co/kifukuvitog/hjK5ZUp/playmobil_pogromcy_duchow.pdf
    • https://cdn.sqhk.co/lofesaxudiwo/vNx5Eif/playrix_gardenscapes_free_download.pdf
    • http://barajofa.mywebcommunity.org/29414323314.pdf
    • http://gafuvufafokujop.sportsontheweb.net/the_taming_ofthe_shrew_act_2_scene_1_analysis.pdf
    • https://cdn.sqhk.co/fisejadiruw/5gi77gf/mcdonald_s_breakfast_hours_us.pdf
    • https://cdn.sqhk.co/mujejadalale/ihoJbgg/47468351843.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f4ef19d8-372f-49db-bbb6-0f5e16bfa625.filesusr.com/ugd/070799_4b46fbfda4b24159ba60001bc90d51e4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ba3d1a94-cf02-4885-9b86-889c02f4988c/42349949599.pdf
    • https://uploads.strikinglycdn.com/files/8b5a5bb8-5fc5-4bb6-a017-f2cef9f9327c/kubirevesepixeba.pdf
    • https://9d1e48ad-bcd7-4831-9b7b-7108443a63b6.filesusr.com/ugd/136d07_5df33ad1c3014cb480a479f5fec7d9dd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fbbd5c4e-ae51-484b-8862-2a40d06c889e/xodobuvumavozeginipika.pdf
    • https://bc732cde-fb09-4fee-8ab5-c82a45a1131b.filesusr.com/ugd/2ac701_5d2901f5365341699107b4c4d55b97b8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/656574bf-873f-41de-b906-a6316252f174/reading_order_of_three_dark_crowns.pdf
    • https://uploads.strikinglycdn.com/files/aa7e363e-607d-4ed9-a7fb-ea0c99942b4e/xin_vang_song.pdf
    • https://uploads.strikinglycdn.com/files/623ccd6a-b4a6-418d-9078-cc8a911feab5/is_denture_adhesive_safe_to_swallow.pdf
    • https://uploads.strikinglycdn.com/files/e9ead01e-86c4-4bfa-a069-8297520159d7/hikvision_error_code_153.pdf
    • https://5c71d6b4-13b5-43a2-97a4-9a0eba4d0f4d.filesusr.com/ugd/0f1814_6f32b851cf0545dbab3c21b783fc28e9.pdf?index=true
    • https://fa886832-b9e3-4ce5-a98c-97da2614721f.filesusr.com/ugd/9f8050_42e108aa76a14e77a68b5bed671e7f0b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/94458181-f60f-4d1e-9552-d53d3e8620ab/graphic_logo_design_online_free.pdf
    • https://27f1a270-5048-4778-87f0-574dfe85248a.filesusr.com/ugd/b7306e_36ff607c5f02440bba4075c074e6c7ce.pdf?index=true
    • https://80172413-d145-4b71-b7cf-4a007d76ad29.filesusr.com/ugd/cacfd7_1981d6cb6d58439eac779b8d2384804b.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001888e.bin
d5b902e0c468d8ef66a3a22badb77214ea0c601050837dfba24f627a5ada6d66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1888E 5476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.