Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d9722097caaa937…

MALICIOUS

PDF

82.1 KB Created: 2021-04-08 14:56:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e392598c8b465f242acea650fa280f8b SHA-1: d20f7ca64ec6007c9093cddde6322805254dbf25 SHA-256: 5d9722097caaa937f420b51f4dc72d7c364707a04e587a3b545f5a2793f53d94
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including PDF_SEO_LINK_FARM and ML_NYX_PDF_MALICIOUS, indicating a high likelihood of malicious intent. The presence of numerous external links, one of which is identified as a potential phishing or malware distribution URL (https://pelibifir.ru/strik), supports this assessment. ClamAV also detected the file as Pdf.Phishing.Trojan. The document body is heavily obfuscated and unreadable, suggesting it may contain embedded malicious scripts or exploit code.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=what+merv+rating+is+filtrete+2200
    • https://ludakugoru.weebly.com/uploads/1/3/4/6/134698973/lunedijulaf_xefofogux_defulisekimixag.pdf
    • https://sesemuxedewa.weebly.com/uploads/1/3/4/0/134017121/zamarataluruwezax.pdf
    • http://sivolejujivozul.scienceontheweb.net/8771339485.pdf
    • https://bijufipenonovo.weebly.com/uploads/1/3/4/5/134529550/gewofova.pdf
    • http://pikegupima.medianewsonline.com/onn_tv_codes_for_cox_remote.pdf
    • https://donelodef.weebly.com/uploads/1/3/5/4/135401433/6a737f8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ae454b8a-4a49-4942-80b2-14c5856da79b/how_to_reset_nespresso_vertuoline_cup_size.pdf
    • https://0443db59-9f9d-4031-b786-8a5723798135.filesusr.com/ugd/ab62d6_3491c46903af49fc86633186310d8e1a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f6fcaf1c-5be0-4397-bf04-d8e67a7d039e/nawifarewezuzilaj.pdf
    • http://rijonitapadon.myartsonline.com/63194640834.pdf
    • https://0fecb50d-c8db-4b5c-a67e-01a13b1c0e9a.filesusr.com/ugd/da7c2d_bd648d098dc94ea59b0dc6e9b209ed0a.pdf?index=true
    • http://kufekisawisewo.onlinewebshop.net/linear_programming_algorithm.pdf
    • https://uploads.strikinglycdn.com/files/837f6f2a-2867-4cd1-afcb-bc3c0c852275/69179071812.pdf
    • https://43fe4710-460a-4ad3-90dc-2dd795c51528.filesusr.com/ugd/a32c20_20a9e2c7a5a24055a7ef78fecd02f668.pdf?index=true
    • https://b20aee1f-b1b7-4e4e-be5e-d884e4ece670.filesusr.com/ugd/10e3af_14523a53905f488c998fd93774932ffe.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9270ca1e-0ad4-4cbf-ba6f-e6ede71a3d7e/nibepa.pdf
    • https://uploads.strikinglycdn.com/files/7cca7fd5-c114-4b3a-a0e9-5c82bf0f1c68/horse_drawing_for_kids.pdf
    • https://uploads.strikinglycdn.com/files/0be60b16-7c1d-423f-977c-a3ce311ab2bb/tokyo_ghoul_kaneki_and_touka_child.pdf
    • https://uploads.strikinglycdn.com/files/010a7e0d-f991-41a8-b3b5-78bea75d0f28/lotus_car_logo_vector.pdf
    • https://bac325b5-3710-4a60-ba01-c1ac5e8a7650.filesusr.com/ugd/c111de_5cb20bb715b94580a8817ac506f00dcd.pdf?index=true
    • http://kuxubakelixuzot.atwebpages.com/on_rhetoric_aristotle.pdf
    • https://uploads.strikinglycdn.com/files/9514bd18-a59b-4fcb-a2c3-813c2f438d61/venutiti.pdf
    • https://uploads.strikinglycdn.com/files/8933775e-2e29-46de-ae69-2b20372b78f8/kipabogodi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ff8c.bin
3c4c6ca8fafe8d5af574dcccd423534cda78864dff4201877e760b17c3902d4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF8C 5528 bytes
font_01_sfnt_off00011245.bin
62d5192689afd7e79ab452d05aa0b16590869e21e2fc48b1764260b9747c47eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11245 11588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.