Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ccf9c40a4e71df2…

MALICIOUS

PDF

80.1 KB Created: 2021-04-06 18:27:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4163a640bfcad568c69d70925a265eb0 SHA-1: d16450792e47c0b84f1c0d33641841a0f02ec351 SHA-256: 5ccf9c40a4e71df228b98607ac3b5545e57ccfc2c06c22ed3f05f9e0c9039ab1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a 'PDF_SEO_LINK_FARM'. One of the primary external URIs points to 'https://nipisod.ru/wix?keyword=soccer+ball+headstone', suggesting a lure to a website. The ClamAV detection and ML classifier also indicate maliciousness, with the latter outputting a high probability. While no scripts were explicitly extracted, the presence of embedded links and the nature of the heuristics suggest an attempt to redirect users to malicious content, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=soccer+ball+headstone
    • https://cdn-cms.f-static.net/uploads/4382189/normal_60504e1a4d59a.pdf
    • https://cdn-cms.f-static.net/uploads/4457570/normal_605956b3d7b88.pdf
    • https://cdn-cms.f-static.net/uploads/4467936/normal_601b575f38c26.pdf
    • https://static.s123-cdn-static.com/uploads/4451045/normal_5ff7ff4b3f6d9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/padosumifubobo/rofodufulekire.pdf
    • https://s3.amazonaws.com/sorogamat/mugobeledot.pdf
    • https://uploads.strikinglycdn.com/files/b6faa189-be6c-4d6c-8f2c-9b2fc83a1890/12300685270.pdf
    • https://s3.amazonaws.com/gopuze/83066207916.pdf
    • http://fonenutekosut.epizy.com/sri_chaitanya_techno_school_chennai_uniform.pdf
    • https://9e1b5e4e-b4ab-405b-8fdf-b3b6d7b19c28.filesusr.com/ugd/94ea38_65cac9b2e6ad476ba24a7d23ca90fda2.pdf?index=true
    • http://maguliveguj.epizy.com/auditing_and_assurance_services_a_systematic_approach_10th_edition.pdf
    • https://8c1dc56a-a131-4b43-acff-3635b9115217.filesusr.com/ugd/90423f_7b2e7c1bbb884aa398b75a2b2b37451d.pdf?index=true
    • https://s3.amazonaws.com/wupagivoz/a_static_budget_is_appropriate_for.pdf
    • https://s3.amazonaws.com/wujixus/19519172134.pdf
    • https://uploads.strikinglycdn.com/files/4f1064f3-c34c-4a20-8341-f37da48c2a3e/new_king_james_version_bible_for_sale.pdf
    • http://vuwizovoxix.rf.gd/mokidi.pdf
    • https://uploads.strikinglycdn.com/files/31321c79-94ef-46bc-8da4-c6c4f0ec87fb/honeywell_rth2300_manual.pdf
    • https://uploads.strikinglycdn.com/files/bce296dd-7e8a-4e58-953f-42a0b874fc36/how_to_setup_canon_wireless_printer.pdf
    • https://39c10a3a-92c6-412a-a1bb-b8a1fc48fbc4.filesusr.com/ugd/259099_04a0f989e5364c44874f5be8f4d52bb6.pdf?index=true
    • https://s3.amazonaws.com/venunamazozuzo/redexumozedamanazasado.pdf
    • https://c931c956-7f53-4e4e-96dc-27d7f003ba63.filesusr.com/ugd/b80c10_ce68cdc7038c48e1bc0dc0f10b959fb5.pdf?index=true
    • http://beverotunege.epizy.com/zofafusajupifezuxazobo.pdf
    • https://s3.amazonaws.com/jefazaxal/winopigalog.pdf
    • https://uploads.strikinglycdn.com/files/47b3023c-df24-4dc5-8541-88d10abfe459/what_to_eat_for_gerd_patient.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8c7.bin
c248fd0527ff3ebb72069dd83f0f3a3208a98283ae0d2ed3f8e232c8cc47f0c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8C7 4404 bytes
font_01_sfnt_off0000f848.bin
b2bcbf8cd7596adacc6dd65f42d1a943819737b6b4e8fe64270c66e215ec1132		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF848 5272 bytes
font_02_sfnt_off00010a21.bin
a6d683fe8d97548d69a85abc7d2ae8ecf92569c1e8793a4fec206e10800876ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A21 11864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.