Malicious PDF — malware analysis report

Static analysis result for SHA-256 742e35e8e0bb3a76…

MALICIOUS

PDF

78.7 KB Created: 2021-03-20 07:45:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 25a951c7ed0138e4b49725cf0ab6341d SHA-1: 821ff67d99551cc72f5d608554b747019c7c1268 SHA-256: 742e35e8e0bb3a76b0a304144d7005049fc8c21f421332363236476ae567c373
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are SEO-optimized and point to other PDFs, suggesting a link farm or content stuffing operation. The primary URL, 'https://nipisod.ru/strik?utm_term=is+the+red+tent+on+netflix', is likely intended to trick users into visiting a malicious site. While no scripts were explicitly extracted, the PDF structure and heuristic firings indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=is+the+red+tent+on+netflix
    • http://fb-copyright-help-from.com/les_miserables_summary_bookr0bnx.pdf
    • http://mawifit.iblogger.org/airport_manager_2_mod_apk.pdf
    • http://bettyloustintruckbbq.com/gakixexedodafiwovokcrd22.pdf
    • http://politach.com/30009733456akkt0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/abe085d4-53c2-4887-853b-98e3661e4d01/pepojapu.pdf
    • http://jitizukot.rf.gd/pediatric_anthropometry.pdf
    • https://s3.amazonaws.com/vabedafozo/66134979397.pdf
    • https://uploads.strikinglycdn.com/files/9107cf95-b753-4f1a-9235-9ddf80bb921a/dusodawowetada.pdf
    • https://s3.amazonaws.com/tevomenil/free_cover_letter_templates_for_law_enforcement.pdf
    • https://uploads.strikinglycdn.com/files/e6988dc0-0e23-4760-87cf-037ff9b911b4/lezojepotonububoneza.pdf
    • https://s3.amazonaws.com/panalipolifod/hp_arcsight_logger_admin_guide.pdf
    • https://uploads.strikinglycdn.com/files/e54eabca-4b28-4d37-9cf7-0c153efc2fca/93708356922.pdf
    • https://uploads.strikinglycdn.com/files/24ab3654-8d41-4fcb-8439-b525b896cb63/bugavoze.pdf
    • https://uploads.strikinglycdn.com/files/ed803b2b-ff1e-4a7c-9812-0a5073cdcfd3/lotulebogem.pdf
    • https://uploads.strikinglycdn.com/files/b18bfb60-ce74-47df-bf75-c3a30cc461cc/playstation_gold_wireless_headset_on_pc.pdf
    • https://bf68d742-fb98-404a-ab47-1dcf24f7df52.filesusr.com/ugd/83e7fd_5e9211d109a649528a41ba1ae01fae1a.pdf?index=true
    • http://bomiboduju.epizy.com/guzulilafapudi.pdf
    • https://4328a374-8b5c-4134-9cef-e132ca5fc89d.filesusr.com/ugd/6732b1_679655b711ff4966805269ac71cf243f.pdf?index=true
    • https://s3.amazonaws.com/tojazudibumogab/nojaxijusopelamum.pdf
    • https://uploads.strikinglycdn.com/files/a5636f1c-641d-47c5-bf65-1f22e3238081/berserk_volume_16_online.pdf
    • https://s3.amazonaws.com/dutuzanob/how_to_study_for_minnesota_drivers_test.pdf
    • https://uploads.strikinglycdn.com/files/4e864f89-2aba-4fb0-83e2-19977f70670d/mcsa_windows_server_2016_r2_complete_study_guide.pdf
    • https://uploads.strikinglycdn.com/files/6028ac9a-1cda-43f8-9763-0494a2168e00/favesirebaduloweguxovodi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f75f.bin
cafaf76ef26d0013cc8a93752ec4093bfc7b14508fe674f93e32882f9be4370a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF75F 4788 bytes
font_01_sfnt_off000107a6.bin
6cdd7bf52a436c908515d98fa5cb6b0815d6881b6dece22bade1cc8d73b8f8a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107A6 11196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.