Malicious PDF — malware analysis report

Static analysis result for SHA-256 59cf0ccd94a46a16…

MALICIOUS

PDF

80.3 KB Created: 2021-06-13 00:43:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: afacd78616d87809b91b366229e8b01e SHA-1: 4129f96d6e0b72bdad647990c209a6b314910506 SHA-256: 59cf0ccd94a46a165a2fc2e23d4e94ffdfb2a83f8ac858f1b057dd071f74f778
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is classified as malicious, exhibiting characteristics of a phishing or link farm attack. It contains a large number of external links, with a critical heuristic identifying it as a PDF link farm. The document body, though heavily obfuscated, suggests a lure related to a 'Ppsc challan form fill sample'. The presence of embedded URLs and the ML classifier output strongly indicate malicious intent, likely to redirect users to malicious sites or to manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/123?utm_term=ppsc+challan+form+fill+sample
    • https://nenatuver.weebly.com/uploads/1/3/4/0/134017756/mikatazadifa.pdf
    • https://bifutizuwosedi.weebly.com/uploads/1/3/4/6/134645412/cddfd29cd9b3d.pdf
    • https://sukaxivex.weebly.com/uploads/1/3/4/8/134895869/puxixaweda-gamajo.pdf
    • https://cdn-cms.f-static.net/uploads/4452852/normal_603c465831ce6.pdf
    • https://kirenokasanav.weebly.com/uploads/1/3/4/4/134445236/joxevetubipa-sepidani.pdf
    • https://gedenotovet.weebly.com/uploads/1/3/1/3/131379555/kuvobasavaponimefa.pdf
    • https://static.s123-cdn-static.com/uploads/4451551/normal_5ffc7fe3051f0.pdf
    • https://kagebavewijove.weebly.com/uploads/1/3/0/7/130740568/2980335.pdf
    • https://jakugogafezokev.weebly.com/uploads/1/3/1/4/131437362/wegiwi.pdf
    • https://rujajibagakolu.weebly.com/uploads/1/3/5/3/135303982/dulotudi.pdf
    • https://zomedavox.weebly.com/uploads/1/3/4/3/134392748/d85c8516d.pdf
    • https://static.s123-cdn-static.com/uploads/4386081/normal_5fe59ca54725a.pdf
    • https://pezumebudoko.weebly.com/uploads/1/3/4/6/134681460/6990624.pdf
    • https://forerijekakifur.weebly.com/uploads/1/3/5/4/135401119/norikani-doxumazibazebez-dosum.pdf
    • https://cdn-cms.f-static.net/uploads/4466172/normal_606bd9d81365a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/110a4edf-6375-4353-9ff3-511fd0cc127c/after_we_collided_trevor_actor.pdf
    • https://uploads.strikinglycdn.com/files/68f3f054-4c2c-486e-9b19-d2864498bca9/44822206250.pdf
    • https://uploads.strikinglycdn.com/files/98a5abad-1613-4717-b40b-b42c11f1ce65/how_much_is_ipod_4th_generation_worth.pdf
    • https://uploads.strikinglycdn.com/files/de411b19-b4f7-490e-9f1e-1cac62dd9421/1000_most_common_english_phrases_for_conversation.pdf
    • https://uploads.strikinglycdn.com/files/5131de65-979e-45e7-9edb-6356fb9400eb/how_to_turn_off_beep_on_casio_watch_f-91w.pdf
    • https://uploads.strikinglycdn.com/files/8ff98f3c-bbe8-44dc-82a9-17c6a66728b4/twilight_saga_new_moon_full_movie_free_download_mp4_in_hindi.pdf
    • https://uploads.strikinglycdn.com/files/0fe4e187-5e19-41a3-83a8-28e99e28996f/47924728514.pdf
    • https://uploads.strikinglycdn.com/files/492f3d3e-b3a3-4b8a-85be-6306ad3d4442/49356976402.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f94f.bin
235e746b9f3898555c23ec2c42e2b8a58850afdf4deebcd09a42111ec881d0be		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF94F 5256 bytes
font_01_sfnt_off00010b08.bin
a2fa364f1cc137b190438a656358a5c9530f61cf278f3371eee3ded4c8d9bd40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B08 11488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.