Malicious PDF — malware analysis report

Static analysis result for SHA-256 7677ba2c22fc4beb…

MALICIOUS

PDF

74.0 KB Created: 2021-03-12 06:31:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 610d69925a5973ebd8c641ad0b106307 SHA-1: 20525a764153994d47871d6fcf6c6bad81b98a24 SHA-256: 7677ba2c22fc4beb65343677ee3c88b6314f5b2fe30a1da0d927e4f57f22bbce
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ML classifiers and ClamAV, flagging it as a phishing trojan. The document contains a large number of external links, forming a link farm, with one primary URL being https://nipisod.ru/award?keyword=behaviorist+theories+pdf. The document body is heavily obfuscated, but the presence of numerous external links suggests an attempt to redirect users to potentially malicious websites or to manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=behaviorist+theories+pdf
    • https://mevepabazeme.weebly.com/uploads/1/3/4/0/134013418/rawudobesogabul-wixujosikamofe-gujijekeforobel.pdf
    • https://muragifenujokuf.weebly.com/uploads/1/3/1/1/131164382/xariw.pdf
    • https://nopiwevupemaro.weebly.com/uploads/1/3/4/6/134653234/73ce63.pdf
    • http://flowerport.store/correct_the_mistakes_in_the_sentencescl7t9.pdf
    • http://nanolenka.xyz/kumunogurq9ug.pdf
    • https://wumikedamuzu.weebly.com/uploads/1/3/4/3/134324885/27dd6439f56.pdf
    • https://lejalebenepuk.weebly.com/uploads/1/3/0/7/130776022/c954e2.pdf
    • https://fimudelowuj.weebly.com/uploads/1/3/1/4/131455024/nakaduwidemabegeti.pdf
    • https://wiwufupa.weebly.com/uploads/1/3/2/8/132814928/savajivolelebar-dopozus-nekosofebazuvat.pdf
    • https://wewowalowumuv.weebly.com/uploads/1/3/4/0/134040384/697bd9b415a7.pdf
    • http://moshon.space/club_car_precedent_body_panels1r27k.pdf
    • https://nakofasojerurog.weebly.com/uploads/1/3/4/5/134592478/9350186.pdf
    • http://itawomen.fun/lowrance_elite-5_dsi_c_gps9rbv9.pdf
    • http://trafikcezaodebayisi.com/wavamamesaxuzufdwu6z.pdf
    • http://storedubai.shop/how_do_i_change_my_bluetooth_to_englishpzslj.pdf
    • http://nenonazuf.scienceontheweb.net/bososesomilijituxogatidir.pdf
    • http://goldstein.berlin/conversin_de_pulgadas_cuadradas_a_centimetros_cuadrados5odtn.pdf
    • http://rasezatoxefu.mygamesonline.org/pride_and_prejudice_2005.pdf
    • https://werukubafufu.weebly.com/uploads/1/3/4/0/134000234/gesiposevi.pdf
    • http://jidapuxedepu.medianewsonline.com/felonatovupafumexalivuxuk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://xakazasaravi.onlinewebshop.net/mikinuxetagipamexiseg.pdf
    • http://lukafimagog.atwebpages.com/wununurikebe.pdf
    • http://zewadomi.myartsonline.com/moscow_metro_map_english_russian_2020.pdf
    • http://jitawidavez.atwebpages.com/the_burning_wheel_codex.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5b6.bin
2886b7987d208135cdf412b0ac5b76e3d22bf134acbe4f02559a5edf1aa6a8b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5B6 5208 bytes
font_01_sfnt_off0000f777.bin
9da819fc8b39fafc7e7a5be97ca94991552a8b92502c4715fbe47bf2fc4d0ad1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF777 10596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.