Malicious PDF — malware analysis report

Static analysis result for SHA-256 910847a3b084a052…

MALICIOUS

PDF

77.4 KB Created: 2021-03-12 14:04:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e2cb0431f82358553c8f1f33bc01d294 SHA-1: ba444387558f7aa5c702084402d142c3b946db68 SHA-256: 910847a3b084a052c644503d9196fbd65cca46ac382ede0db839dbe09d5ca9b8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics, including ClamAV and an ML classifier, indicating a phishing or scam attempt. The PDF_SEO_LINK_FARM heuristic suggests it contains numerous external links, with the primary suspicious URL being https://nipisod.ru/123?utm_term=balasaheb+shinde+english+vocabulary+audio. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, and the presence of embedded URLs points towards an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/123?utm_term=balasaheb+shinde+english+vocabulary+audio
    • https://dewixazupeteti.weebly.com/uploads/1/3/1/4/131455636/e0bf22ea9.pdf
    • https://sabexezoguge.weebly.com/uploads/1/3/1/4/131483217/3491367.pdf
    • https://zijoganidilo.weebly.com/uploads/1/3/1/8/131856317/489328.pdf
    • https://silorofolukut.weebly.com/uploads/1/3/4/2/134265947/bawajaluv_vudinakebidar_netedumi_nebowa.pdf
    • http://gepokupaburorew.mywebcommunity.org/traitement_carie_dentaire.pdf
    • http://copyright-infringement.business/what_is_the_authors_purpose_of_a_memoirz99hx.pdf
    • http://eferevole.com/20769029610aejcb.pdf
    • http://blue-tick-central.com/tefal_deep_fat_fryer_charcoal_filternjt41.pdf
    • https://jomefibid.weebly.com/uploads/1/3/4/5/134596324/gegewifewunire.pdf
    • http://vetovikaxu.mypressonline.com/how_to_start_an_aa_meeting_on_zoom.pdf
    • http://sandwichhq.club/what_to_the_american_slave_is_your_4th_of_july_summary15yj4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://9eb5ee95-128e-4115-bcd6-d8db8525ce49.filesusr.com/ugd/9904c2_8d3b29fa862e4b42a28f0d8595cb630f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b91d10bb-6bc9-40b9-aecb-49e90327f97a/craftsman_1_3_hp_2_gallon_portable_air_compressor.pdf
    • https://6f8cb219-4830-455d-9ced-b55e65700e85.filesusr.com/ugd/fd30ac_d03af4a8e466447e92070b632cbcc09c.pdf?index=true
    • https://d102a0f2-001f-4998-bb0a-88ac30ac05b5.filesusr.com/ugd/771ea4_0b5793bb8b184c0c9d8fc751aef7deb1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ed1753d5-158b-401d-a60c-6e29c6a30b22/stihl_chainsaw_ms310_chain_size.pdf
    • https://uploads.strikinglycdn.com/files/c7f25627-37fc-4cde-9c98-100e424e5fbb/80301271607.pdf
    • https://9505ca4c-dfdc-4941-8fde-ded35496d0c9.filesusr.com/ugd/2097ab_465ad8e81afd40828dbd32f7ed821f28.pdf?index=true
    • https://uploads.strikinglycdn.com/files/89b893f4-322a-41f3-b327-a53db2fd8590/34879999914.pdf
    • https://uploads.strikinglycdn.com/files/5691c1d3-24f0-4b4b-bd45-89d91995a8b7/how_to_make_a_peasant_dress_pattern.pdf
    • https://ee6bc897-aa08-459d-b6e6-b1b1d69fcba1.filesusr.com/ugd/7ba596_35147d088fbe4c6da1994192ed84ec59.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf76.bin
67cc797b94a5c8a7b4787bd4de35a9d4fd0f96e8521c38e0c2d22511391730bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF76 5552 bytes
font_01_sfnt_off0000e252.bin
6a0e550766a180d0f0f2b7d0cae4eed948e939e1bd6b31472fa28e991e8563b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE252 3056 bytes
font_02_sfnt_off0000ef23.bin
a20e23c47018b03a1d2a8dc4f135d532cd402ff4ddb0ba7d64d5df5d1d86639d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF23 9808 bytes
font_03_sfnt_off000110f3.bin
700ff7bf493bf9bab5e7bd19ce07725d6ad682c9ec1bd4c381fbd4d74ba1924a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110F3 16088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.