Malicious PDF — malware analysis report

Static analysis result for SHA-256 6eece9b13358db12…

MALICIOUS

PDF

84.6 KB Created: 2021-03-25 13:19:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2001eda0e95319838332f261774abb2c SHA-1: 427272591ebbbc8484170d178e94f5be6cca2fb2 SHA-256: 6eece9b13358db120b80c188f644347b202aaddddfbc72b4f65027f80e5696ff
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are part of a link farm designed to manipulate search engine results. The primary malicious URL identified is https://nipisod.ru/strik, which is likely used to host or redirect to a malicious payload. The presence of a PDF_SEO_LINK_FARM heuristic and ClamAV detection strongly indicates a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=cuanto+pesa+un+metro+cubico+de+arena+amarilla
    • https://salewuso.weebly.com/uploads/1/3/1/3/131379029/7d652ab5a6da.pdf
    • https://tekegalesi.weebly.com/uploads/1/3/0/7/130740489/9fbfb79cbda.pdf
    • http://zunuruxeguxifi.mygamesonline.org/causas_de_abdomen_agudo_quirurgico.pdf
    • https://biparobotimipus.weebly.com/uploads/1/3/4/4/134498468/xugojijuvelulerup.pdf
    • http://palikexifumalam.mywebcommunity.org/tutorial_autocad_2016_espaol.pdf
    • https://cdn.sqhk.co/nanagajog/gcvwkgf/68318554504.pdf
    • http://fazejajogavu.medianewsonline.com/64918542775.pdf
    • https://cdn.sqhk.co/kigaratak/gjgMSjg/zurepugu.pdf
    • https://cdn.sqhk.co/xugosovemi/gFigtih/58113608867.pdf
    • https://cdn.sqhk.co/jopuromug/jgTWge9/dafubewugovozegisabejavi.pdf
    • https://cdn.sqhk.co/ravuviwidi/bigUhgq/hyundai_archery_world_cup_2019_distance.pdf
    • https://ziresaro.weebly.com/uploads/1/3/4/5/134509830/7621432.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e22e8d81-f41f-4d51-abb1-39b19d2d32bb.filesusr.com/ugd/96bf9d_91b6ecadc4fc4792b0beb4b8b4e68be2.pdf?index=true
    • https://5e54824a-8208-41b0-8aeb-7c017e8cfb46.filesusr.com/ugd/f64db8_9fbb01a03bd544078403ed8e44f21231.pdf?index=true
    • https://s3.amazonaws.com/jutenojamega/types_of_behavioural_disorders.pdf
    • http://netawuwimirixor.onlinewebshop.net/boys_don_t_cry_magazine.pdf
    • https://b133b025-67d1-4190-9e53-fbb99503dec2.filesusr.com/ugd/caf13f_3e23c4c5325f4d55b5b1724068a5d6a6.pdf?index=true
    • https://52a72965-a6d2-471e-b66a-59a59a4d663b.filesusr.com/ugd/e643da_2d63c81ca5b244ccb5d5a9223f1a7602.pdf?index=true
    • https://c3e810f9-371e-40b9-9a0b-4695a496ec77.filesusr.com/ugd/2c7c49_c8544f81dd05472bb9c856a5b4ea4f96.pdf?index=true
    • https://033a7475-7ccb-45c1-8f1e-38fd320d48d0.filesusr.com/ugd/03a576_ac542e3f3d854db0bdddcb13d87a5d5b.pdf?index=true
    • https://c6926203-1eb9-401e-9afa-11f61f201807.filesusr.com/ugd/685707_95cdc9cc10994e8b9894606696b2eeb3.pdf?index=true
    • https://6f847715-c85a-45d9-ae5c-7c68cc800588.filesusr.com/ugd/6e100b_9ded46fa93fa486d9285781cdf2e2e31.pdf?index=true
    • http://beliraguw.onlinewebshop.net/12619522638.pdf
    • https://s3.amazonaws.com/toliwudalamem/public_finance_and_taxation_questions_and_answers.pdf
    • https://s3.amazonaws.com/fusopoxipo/important_dates_during_the_renaissance.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000109cd.bin
11c933715335b762165494becf2fa2a554c6f7662c8542ce88953aab2c84d42e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109CD 5264 bytes
font_01_sfnt_off00011b89.bin
9e4274d49b8eca53aa7c6f0e6c12bbc56845b11a21263ac03f6fa486c668df33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B89 12644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.