Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a033d0dcc205ce4…

MALICIOUS

PDF

99.8 KB Created: 2021-03-23 02:43:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4d3ecbbc1dad4deae14a2426654396da SHA-1: 5968a568492d00bc1c125fbad3cf294d647be494 SHA-256: 9a033d0dcc205ce4cd97d81cb8fa65484da553fa01c7f46ab0dbdfec4d435c86
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are SEO-optimized and point to other PDF files, indicating a link farm or spam campaign. The primary URL, 'https://nipisod.ru/award?keyword=basic+afrikaans+words+pdf', suggests a lure to a site offering PDF-related content, likely to deceive users. While no scripts were explicitly extracted, the PDF structure and extensive external linking are indicative of malicious intent, possibly to drive traffic or host phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9937

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=basic+afrikaans+words+pdf
    • https://lirurarupo.weebly.com/uploads/1/3/4/7/134770738/1157451.pdf
    • http://ufenmac.com/bakikonuperadugibt7bhk.pdf
    • https://padokerasuwo.weebly.com/uploads/1/3/5/3/135319223/sataxawewaw-gareposufuji-kiremotevi.pdf
    • https://darojavanobize.weebly.com/uploads/1/3/4/8/134889586/5ee6f4784.pdf
    • http://temppicture.xyz/is_an_online_mba_worth_it_canadaf2hwn.pdf
    • https://xadajosawot.weebly.com/uploads/1/3/1/6/131636584/f5aca52d36.pdf
    • http://lerob.info/manorama_news_paperpdjon.pdf
    • https://zepitobazelaki.weebly.com/uploads/1/3/4/6/134619491/4628b3a7.pdf
    • https://pimiwunuxijekez.weebly.com/uploads/1/3/2/7/132741089/bomewijaxumiv.pdf
    • http://winoraama.website/restatement_second_of_torts__46rlfkj.pdf
    • https://pimazapodozem.weebly.com/uploads/1/3/2/8/132814260/kobudo.pdf
    • https://delovamubikener.weebly.com/uploads/1/3/4/7/134707073/8a0549.pdf
    • http://nikaold.site/steelhead_fishing_michigan_reportgjtk2.pdf
    • https://torofijode.weebly.com/uploads/1/3/5/9/135978969/gowijupu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tamovagag/37198144272.pdf
    • https://s3.amazonaws.com/mosezavor/10757825614.pdf
    • https://a1359116-1358-4cde-afc5-3600b4bb50db.filesusr.com/ugd/3b0c81_05cd9893a402439795976a6b0b05c494.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f13ee8e7-56e4-4a07-b078-abf5f6f2b88c/double_down_meaning.pdf
    • https://s3.amazonaws.com/jezekemunidup/11684060408.pdf
    • https://uploads.strikinglycdn.com/files/92ab30db-4377-4123-91be-0e4f94e27e0a/bafetawazerugilivuzik.pdf
    • https://c216880a-03a2-4774-ab7e-121c93799e8f.filesusr.com/ugd/b5aed9_bef375bf2e6e4a2c94119628fd0d84d6.pdf?index=true
    • https://6acf0ca1-aa41-4771-8b91-54baff69ee7f.filesusr.com/ugd/7d1dc9_1bd30caf0afb4d7fb798d0a777fbe47c.pdf?index=true
    • https://s3.amazonaws.com/lepefi/41671021972.pdf
    • https://9042e326-c85f-44e6-b9b6-0c206471fdba.filesusr.com/ugd/0d2fda_6cab8bc5ac7549518cffa38dc2417d71.pdf?index=true
    • https://s3.amazonaws.com/satedafadusizo/carpobrotus_aff._acinaciformis.pdf
    • https://uploads.strikinglycdn.com/files/6921ba62-6682-4938-99bc-682381ef0fac/welopejosiguv.pdf
    • https://75ca6b5e-a470-4e0e-8004-b00a9f1721b4.filesusr.com/ugd/1e4819_3c40c64f84234ba2ae4f06db8dec280d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013403.bin
7280cdc3e70db122497d05750858b8dcbf49e9038a3b57970a28ca876597156b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13403 5320 bytes
font_01_sfnt_off00014649.bin
c905c1e819b3d4f3bf610b55aa03b17ed2b2011594dd63ca1f6ee3d06cc16ff5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14649 11280 bytes
font_02_sfnt_off00016c2e.bin
e5245523bd71a78e06ca3300da63f55ad096e28dd8c1a5e83e138be64f7d0aee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16C2E 16084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.