Malicious PDF — malware analysis report

Static analysis result for SHA-256 b278b5f634200a3b…

MALICIOUS

PDF

79.3 KB Created: 2021-03-25 09:33:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 06fb81c7cb6f24937eefcbed3b203141 SHA-1: b1121cf07b579848b7694e159dd2a6555446c6e5 SHA-256: b278b5f634200a3bdd7d1efb27af42cce2e3769c165c6b3d9a654c6bcb665b5f
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are embedded within the document body and presented as search results. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links, and the presence of 'nipisod.ru' as a target URL suggests a phishing or malicious redirection attempt. ClamAV also detected this as 'Pdf.Phishing.Trojan'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=where+is+joanna+gaines+magnolia+store
    • https://cdn-cms.f-static.net/uploads/4456377/normal_5fd192052e772.pdf
    • http://vezerfa.xyz/dream_dictionary_spiders_crawlingkze98.pdf
    • https://static.s123-cdn-static.com/uploads/4471481/normal_5fc5bd965491f.pdf
    • https://cdn-cms.f-static.net/uploads/4412891/normal_603a6817d7ac7.pdf
    • https://static.s123-cdn-static.com/uploads/4376369/normal_5fef34ab9586d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://5e0c4d4d-41f9-428c-9564-b93e7cff6769.filesusr.com/ugd/510691_95242aa9b06b45a7aed1e7d479328d93.pdf?index=true
    • https://87c8fc71-818b-4167-bf0d-2ac3bc49ffd1.filesusr.com/ugd/f9d4cd_4e800836f55f4991a4c30bc8293c7ccc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d5990061-78a3-4df1-b113-cd8cb5abf608/harley_davidson_service_center_near_me.pdf
    • https://5db246a0-94da-4013-9f64-c970003367b9.filesusr.com/ugd/ca5179_73c5f619786a4c069b48f35d3b6c36c9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/759779cd-767b-4c52-86a6-78880dba2789/audre_lorde_the_masters_tools_book.pdf
    • https://uploads.strikinglycdn.com/files/4be134d3-74c2-4e24-81fc-8c9cd61744ab/london_baptist_confession_modern_english.pdf
    • https://2ac56fc1-f7ee-4366-9cb2-1681469c68ee.filesusr.com/ugd/b914b5_6d21395f9182474b907e13315c274a41.pdf?index=true
    • https://0ac950e2-707a-4e47-8bf4-daface0ea9db.filesusr.com/ugd/356f11_6fd2e5245db34666bfbed3e63f65515b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8c267498-33bb-42e7-aa37-00205cb709c7/microsoft_project_download_trial.pdf
    • https://uploads.strikinglycdn.com/files/95d619c6-67b0-4ede-a729-bab72ee66f60/25567335826.pdf
    • https://uploads.strikinglycdn.com/files/8e7bcc45-beeb-468a-8fa1-a25a264ed238/zisinutavapevusizof.pdf
    • https://uploads.strikinglycdn.com/files/3f358ed1-dda4-4e49-bd02-fbb0e2328426/how_to_put_thread_on_bobbin_singer_sewing_machine.pdf
    • https://8ab1a2d5-e5b1-44c5-a28c-e09959565f0d.filesusr.com/ugd/eb712c_4d656c8ec933495698174e43f84a8e0b.pdf?index=true
    • https://1fc3e790-19e1-43b7-bae7-d09a953f51fe.filesusr.com/ugd/2c608b_d27b297f700349c495e42602385d07a4.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea93.bin
4d188716cd247d5f87c0ecdc9a196f7112266b85dbc3a6e97cfc9982b16a1d3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA93 4976 bytes
font_01_sfnt_off0000fb5d.bin
2066b3d22ea6180b5a5547286437fd04b3687d3a7c93c237c153126557e22575		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB5D 11416 bytes
font_02_sfnt_off00012217.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12217 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.