Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f6d310417bebda6…

MALICIOUS

PDF

86.7 KB Created: 2021-04-22 01:28:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: 15d8e9ba62c8f1bc6119e1e1196618c3 SHA-1: 30d749620a7d21046001ced22704fa32350de3b3 SHA-256: 9f6d310417bebda67dcebff2e6644d8e45eddac7057a87e487a0a500b5e9f27d
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, with one notable URL pointing to a suspicious domain ('nipisod.ru'). The 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristic indicates a deliberate attempt to create a link farm on disposable hosting, suggesting a phishing or malware distribution campaign. ClamAV detection as 'Pdf.Phishing.Trojan' further supports the malicious nature of the file. No scripts were extracted, but the structure and embedded links strongly suggest a phishing or malicious redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=flir+one+ios+to+android+adapter PDF link annotation
    • http://puzemapulozuw.22web.org/latipavafodimugetodipukis.pdfIn PDF document text
    • http://sk-anker.ru/stanley_battery_charger_model_bc209_manualpty56.pdfIn PDF document text
    • https://cdn.sqhk.co/gedugari/hhhgddw/indemnity_form_template_for_employees.pdfIn PDF document text
    • http://retys.space/lesifemobwilgx.pdfIn PDF document text
    • http://setofexperience.site/stars_classroom_codesf6tns.pdfIn PDF document text
    • https://cdn.sqhk.co/jiguluzufuwa/jhjgFhj/16179872997.pdfIn PDF document text
    • https://cdn.sqhk.co/vivakawibaki/gsH30Nv/screencast_o_matic_free_download_windows_xp.pdfIn PDF document text
    • http://tdsevsvet.ru/jikuvidodolilat62112.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/6be79f63-efaa-46e2-982d-a5011683fde1/kaseje.pdfIn PDF document text
    • https://307a23dc-bb60-4906-9a68-69e45957aa19.filesusr.com/ugd/d2057d_55c8f5e1c8a44b74894e3c2198787104.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f8b49e8-51f3-4407-942b-1256f346872f/22971470318.pdfIn PDF document text
    • http://berodibanubaj.rf.gd/jorowudomubopopuropa.pdfIn PDF document text
    • http://kepirodineloga.epizy.com/41639799344.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7d5dddc9-7b16-4302-8e50-d2818653cdc8/anet_a6_printer.pdfIn PDF document text
    • http://belunovozexuse.rf.gd/16047352739.pdfIn PDF document text
    • http://varijaponinaza.rf.gd/nupexopumudovezuz.pdfIn PDF document text
    • https://89e5ed4a-33eb-42a6-b5f1-9fc07ea1e15b.filesusr.com/ugd/ff68bb_5ba956ed0d9f4b609b58ddcdc6b43cb7.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/1864ce57-11f0-4ddb-a5a2-e9d72cb7c8b0/can_you_fix_a_curved_tv_screen.pdfIn PDF document text
    • https://4a1cfc67-5981-466d-a13b-75576fe7431f.filesusr.com/ugd/64e449_e226a922351746b5b3b5cf050528ebca.pdf?index=trueIn PDF document text
    • https://21e323bd-7fdd-46e9-a6c7-4880e76d7610.filesusr.com/ugd/0a51c1_be48d894448c4340abfa127930b75c85.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011657.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11657 4908 bytes
SHA-256: b2110c0687c61236ccbddc05c6cf798a338faf2dda023042204ec267d63c8e1b
font_01_sfnt_off00012715.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12715 11220 bytes
SHA-256: c06dd4c3fff3c7347f1bf65ba4512db8f771b2b489f27fd8b73caa842acccb94

Open this report in the interactive analyzer, or submit your own file for analysis.