Malicious PDF — malware analysis report

Static analysis result for SHA-256 863e22af6b897242…

MALICIOUS

PDF

64.5 KB Created: 2021-03-22 07:19:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6d88e323e1c097227be03c7a4484f6ba SHA-1: ac3750345629df52f77130bf26c53e43250b0cfb SHA-256: 863e22af6b8972426858b18b67bc6bba1fb0f58a2db935e8abe2d4d85db5df45
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, identified as a link farm, and is flagged by ML classifiers and ClamAV as malicious. The primary malicious URL observed is https://nipisod.ru/wix?keyword=confidence+interval+worksheet+with+answers+doc, suggesting a phishing or malware distribution attempt. No scripts were extracted, but the presence of many external links indicates a likely attempt to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=confidence+interval+worksheet+with+answers+doc
    • http://phtech.site/jexevesaxikewizowowebap8197u.pdf
    • http://vizerabo.iblogger.org/sitabikogakusasegiw.pdf
    • https://bigunumefojetaw.weebly.com/uploads/1/3/4/3/134314030/vufabarizodewe.pdf
    • http://item-mask.top/gabijusdmqdl.pdf
    • https://gegovowazuravas.weebly.com/uploads/1/3/1/3/131398401/f35512.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://0df22b04-17ae-4e65-9af8-3af4445b4601.filesusr.com/ugd/71fd01_b00911bb111f4c27971048eb41ca87b3.pdf?index=true
    • http://pabovabavuwemet.rf.gd/understandable_statistics_12th_edition_brase.pdf
    • https://uploads.strikinglycdn.com/files/1bf09a58-1087-46d9-a8b8-de34d1cae6d6/88594931500.pdf
    • https://uploads.strikinglycdn.com/files/ea14e7be-80d2-4624-a38f-ac06247a0749/xaremunefetix.pdf
    • https://3c3b6f52-20a2-448a-be11-eec5930c502f.filesusr.com/ugd/0ca786_0ac2ec3a7be74bff809970b8b4c6454b.pdf?index=true
    • https://b4140449-9b96-4148-8619-c9b3eed7b48c.filesusr.com/ugd/c33cdb_a0be9458e138457d91794ba020197517.pdf?index=true
    • https://7fd92c66-d3af-485c-b7a9-31529ddfb1b5.filesusr.com/ugd/997d0f_824b2f91b62b44aba8e020e8b9e15683.pdf?index=true
    • http://zilemugas.epizy.com/97504933439.pdf
    • https://6d251753-49d0-4f5b-a278-10ed1cacc9d0.filesusr.com/ugd/5c139a_032c0808fc1f4f0b8c394cf8adc7d4f1.pdf?index=true
    • http://wogafut.rf.gd/bidirectional_search_in_artificial_intelligence.pdf
    • https://36425c1f-c329-48aa-845d-1f8252cb45c8.filesusr.com/ugd/01d500_12a78150139642339e65e973971e1e66.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3838a8da-a0a5-41eb-bbca-29526be0ef8e/new_dance_music_videos_2019.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c23d.bin
7cb37762664595a7aae23b267e498e05f1e734af9eef357688786d8e16d3dae2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC23D 5232 bytes
font_01_sfnt_off0000d419.bin
b0d058cb1a1d0cb54643d38a9599691e2cd5b7638d8cea52902de27c7fcc59eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD419 9628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.