Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8538162cd4e8d59…

MALICIOUS

PDF

76.7 KB Created: 2021-04-06 14:44:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3c0945c555a73f0296060c5476daf854 SHA-1: 55a9cc5e64749373008b47d9e2552c3eb7e2056a SHA-256: a8538162cd4e8d5937629f4b81658b7abcd1b9dd4b82bff3ed26c4b0fb9f3c34
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including ClamAV and an ML classifier. It contains a large number of external links, suggesting a link farm or phishing attempt. One of the primary URLs identified is https://nipisod.ru/aws?utm_term=doro+flip+phones+for+seniors, which is likely part of a phishing lure. Although no scripts were explicitly extracted, the PDF structure and the presence of numerous external links indicate a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/aws?utm_term=doro+flip+phones+for+seniors
    • https://cdn.sqhk.co/mazinatefoso/iigjbCW/little_big_city_2_old_version.pdf
    • https://gowobokibisalo.weebly.com/uploads/1/3/0/9/130969305/27cec.pdf
    • https://cdn.sqhk.co/womafafowix/hf6Tsjh/rizuvaginubuna.pdf
    • https://cdn.sqhk.co/giganopof/KS4ijEL/77446019627.pdf
    • https://cdn.sqhk.co/vinogusi/jieAjfK/5526802682.pdf
    • https://powonevupurig.weebly.com/uploads/1/3/4/7/134704952/6610875.pdf
    • https://dutebosolet.weebly.com/uploads/1/3/0/9/130969562/pofipiburene-panijavezirax-figerosebovi-tonerukeluzazu.pdf
    • https://cdn.sqhk.co/mopomotop/OsjdNid/97836157735.pdf
    • https://cdn.sqhk.co/nonagidux/5YMojfO/five_nights_at_freddy_s_song_10_hours.pdf
    • https://cdn.sqhk.co/xamitarerivu/uVKgfuB/shelter_cove_hilton_head_events.pdf
    • https://vogitoroxubas.weebly.com/uploads/1/3/0/7/130739894/gufis-pitizalajad-filaxutopemikug.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/73ebd88d-f439-4f42-a81c-7d32df0f8e82/sipufemoluvabubomaro.pdf
    • https://uploads.strikinglycdn.com/files/06ee845b-e5cd-4a16-96e9-450491ca4732/94231276178.pdf
    • https://uploads.strikinglycdn.com/files/631d4086-a9ce-41b2-930b-8ceb30fedb1e/wudagesovunowujebuvopuwe.pdf
    • https://uploads.strikinglycdn.com/files/f6809aea-cc74-41ef-b433-6fa085b2044a/mcsa_windows_10_complete_study_guide_download.pdf
    • https://uploads.strikinglycdn.com/files/e26dcc25-14e4-4908-8198-6517ec374024/how_to_write_a_summary_of_a_chapter.pdf
    • https://uploads.strikinglycdn.com/files/ed2f46cf-9408-48f3-844b-e30ce7b64dfd/georgia_driving_permit_test_questions.pdf
    • https://uploads.strikinglycdn.com/files/25507cf3-efe8-48a7-9f92-6faad3746361/82758518098.pdf
    • https://uploads.strikinglycdn.com/files/9b0d480d-8c5c-4a59-9799-f83095f6ad3f/59739546286.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f127.bin
cf72d9497180bfcf93ddba840a9bff4a8a5249e46edfe2054845f56c6465ae91		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF127 4780 bytes
font_01_sfnt_off00010169.bin
5b09ecebba4c5991e0a53e70fb9436abdc11d626509da76bb3e63fe7f0476e0c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10169 10736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.