Malicious PDF — malware analysis report

Static analysis result for SHA-256 af33db97a3a626b3…

MALICIOUS

PDF

72.5 KB Created: 2021-04-06 13:55:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1e747b347801770941df34fe25588e1e SHA-1: 777ade956c198581270b4e555ea943847296197f SHA-256: af33db97a3a626b340179f87a900a06a7eaa15da616f6493520761bb921df35b
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The document contains numerous external URIs, including one pointing to 'nipisod.ru', which is likely part of a phishing or scam operation. Although no scripts were explicitly extracted, the PDF structure and heuristic firings suggest it's designed to lead users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/123?utm_term=blouse+design+photos+free
    • https://cdn-cms.f-static.net/uploads/4413109/normal_5fd3a3ffe90d3.pdf
    • https://cdn-cms.f-static.net/uploads/4374703/normal_603a6f4c9a777.pdf
    • http://xuxetosufuzo.getenjoyment.net/2014_national_electrical_code_book.pdf
    • http://gasolotiravizid.sportsontheweb.net/rorozaderadefilemulatob.pdf
    • https://static.s123-cdn-static.com/uploads/4415304/normal_5fffe8c33b1d2.pdf
    • https://cdn-cms.f-static.net/uploads/4412377/normal_601ca45a843f0.pdf
    • https://cdn-cms.f-static.net/uploads/4374518/normal_6046231fa1561.pdf
    • http://limecash.xyz/kwikset_smartcode_909_user_manual68631.pdf
    • http://katipef.medianewsonline.com/moranibanoruriwirolos.pdf
    • http://trastenmyqort.online/answer_key_for_math_worksheetshm5l9.pdf
    • http://openlait.pro/wukeduwifakotoxlehn7.pdf
    • http://strgb2.ru/noredagivokosi6v31y.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://9b704b87-3668-414c-a24e-b30400fe0e33.filesusr.com/ugd/51c472_8fe7d10148c14f34ae7c804322af0c1d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/61d582e9-8b4c-4063-81d8-45547614e9cd/fifth_third_bank_mart_hours.pdf
    • https://uploads.strikinglycdn.com/files/132f0cce-a883-4d3e-bbf3-8c384c35c251/3872883822.pdf
    • https://s3.amazonaws.com/wulagisi/disappeared_tv_show_episode_guide.pdf
    • https://12dd324c-696b-4d67-8c19-991f3eacec2c.filesusr.com/ugd/eeb7bd_f33cd579332949b88bf54ed439a18c22.pdf?index=true
    • http://wurebosuloxu.myartsonline.com/94139075809.pdf
    • https://uploads.strikinglycdn.com/files/f36a941e-7f60-48c7-a91b-4030d836a32f/citizen_eco_drive_watch_manual.pdf
    • http://xijewixevav.onlinewebshop.net/56820213231.pdf
    • https://s3.amazonaws.com/baxekojojexusol/creating_a_spreadsheet_application.pdf
    • https://f815f12b-539f-4060-8ed9-abd2caada31b.filesusr.com/ugd/ceb2e8_f24be12e91c6483fba07bb3bc8810cb8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d3e682d1-7313-43fb-9e8c-d4ad42f2140c/justine_marquis_de_sade_summary.pdf
    • https://s3.amazonaws.com/tizowodifi/94490980418.pdf
    • https://uploads.strikinglycdn.com/files/26177f64-6399-4176-a1c5-49ac0f6621e4/volezijawurilajaka.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc84.bin
5c3d1efc728b0ea98e0f2185d78b84eaa2642002fe91066ad8c756c572230260		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC84 5144 bytes
font_01_sfnt_off0000ee05.bin
22e60c4daddbbd6d33b151962d2bb8ff85883b53f37022672ff705cf230febaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE05 10764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.