Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bc9824b88e383bb…

MALICIOUS

PDF

70.6 KB Created: 2021-06-12 13:47:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 42565ef40631b03fded33e1c458349c6 SHA-1: 6b9876b3088bb77dc21465af3b9b04e15dd29277 SHA-256: 9bc9824b88e383bb82eb430d2111d4dcd6306497e9051a47274c1096add44ede
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, including one to 'nomylo.ru', which is flagged as a potential phishing or malware distribution site. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and heuristic firings suggest it's designed to redirect users to malicious content, likely for phishing or to download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/pbw?utm_term=order+of+operations+with+negative+numbers+worksheet
    • https://cdn-cms.f-static.net/uploads/4402247/normal_6064d11f32997.pdf
    • https://dibovasejul.weebly.com/uploads/1/3/1/0/131070518/7b7896cfc375b7.pdf
    • https://goguribepolim.weebly.com/uploads/1/3/0/7/130739596/d23bbb01e88.pdf
    • https://cdn-cms.f-static.net/uploads/4456377/normal_605197aec48ab.pdf
    • https://static.s123-cdn-static.com/uploads/4488323/normal_5fec485ec8005.pdf
    • https://static.s123-cdn-static.com/uploads/4376875/normal_5fcb25cad98af.pdf
    • https://static.s123-cdn-static.com/uploads/4494648/normal_6008caeb63720.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9a420e91-6b0d-45f9-962a-ba63c373cfb7/dell_venue_8_pro_battery_life.pdf
    • https://uploads.strikinglycdn.com/files/131fe60b-facf-4e24-a068-3f45bfab2afc/medokazuberup.pdf
    • https://uploads.strikinglycdn.com/files/47a95f71-c3f2-45dd-a0d3-ab8f60622267/ken_folletts_the_pillars_of_the_earth_walkthrough.pdf
    • https://uploads.strikinglycdn.com/files/96fe24c9-e9d8-4d2c-8832-20d4a550e865/sex_and_the_city_season_2_how_many_episodes.pdf
    • https://uploads.strikinglycdn.com/files/a4502be0-f12b-4267-b99d-cd2a8daea1ad/gibiwofek.pdf
    • https://uploads.strikinglycdn.com/files/eea97828-018f-4e61-a9b7-8de3a94b69c2/news_about_food_stamps.pdf
    • https://uploads.strikinglycdn.com/files/86dd68cb-f747-4e91-9882-994d74ad8972/dewalt_d55168_regulator.pdf
    • https://uploads.strikinglycdn.com/files/19ba7e5c-8929-40d9-abf0-bf00d525827e/install_google_translate_on_pc.pdf
    • https://uploads.strikinglycdn.com/files/95db68d2-7717-443e-ad15-4d265ae393f3/pokemon_leaf_green_rom_download_my_boy.pdf
    • https://uploads.strikinglycdn.com/files/bdbe065d-2acb-4bdf-b55e-2dd94b08b554/how_to_change_background_on_kindle_fire_tablet.pdf
    • https://uploads.strikinglycdn.com/files/e155a4e9-3e70-4508-a7f1-ae9ffbaab047/sled_driver.pdf
    • https://uploads.strikinglycdn.com/files/380b320f-5066-477c-ad64-5fb26bd0734d/xizixeviwopozujawixamawam.pdf
    • https://uploads.strikinglycdn.com/files/5500f554-2a60-486b-a448-1f467c563ff2/50721527382.pdf
    • https://uploads.strikinglycdn.com/files/15fdaf01-020f-402a-a226-24dda01d1d29/travels_with_charley_film.pdf
    • https://uploads.strikinglycdn.com/files/3138d1c7-fbfc-41d3-acdb-866a758aa06f/how_do_students_sign_up_for_edpuzzle.pdf
    • https://uploads.strikinglycdn.com/files/9bb550e9-e4d4-481a-a3f7-f6074071eea1/wibigirojudobovaguxosejid.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d4c6.bin
d34b6a21d943fce35e2541364130e5a0b7ba6222dcf8fde46939ccbff1c4ccf9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4C6 5804 bytes
font_01_sfnt_off0000e875.bin
e8483ceacaf9198659d653ae062c0ba52a3a9230d83f0b8324be35986ea34dac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE875 10500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.