Malicious PDF — malware analysis report

Static analysis result for SHA-256 b34306aa1f69ebba…

MALICIOUS

PDF

78.4 KB Created: 2021-04-25 17:26:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ee3167b7410d06ea5f364dadb72fc368 SHA-1: db7a3d60b81a19bf51ae1aa0229c56533c29021f SHA-256: b34306aa1f69ebba29c3eff0d137c51d8d9edcf1ee5642430b6aea4e4416cad3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by multiple heuristics and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, suggesting it's part of a link farm or phishing campaign. The primary malicious URL identified is https://nipisod.ru/strik. While no scripts were explicitly extracted, the PDF structure and the presence of numerous external links point towards an attempt to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=why+is+research+important+in+educational+psychology
    • https://cdn.sqhk.co/vadetegubufo/VWjedvM/72901180733.pdf
    • https://cdn.sqhk.co/pixisuja/iijMI1p/kosmos_helper_app_ios.pdf
    • http://differencecheats.net/cioms_guidelines_2002jqovp.pdf
    • https://cdn.sqhk.co/mujekesire/idjhXjh/disney_premier_access_cost_australia.pdf
    • http://ketotreno.buzz/ham_radio_general_test_study_guidewx336.pdf
    • http://bisipatelaloguj.66ghz.com/advanced_rest_client_offline.pdf
    • http://xbet1.fun/88814436285fyivf.pdf
    • http://tonorubur.22web.org/vafupawen.pdf
    • https://cdn-cms.f-static.net/uploads/4367940/normal_60421b52bb799.pdf
    • https://cdn-cms.f-static.net/uploads/4378852/normal_60158e8f676d2.pdf
    • https://static.s123-cdn-static.com/uploads/4470029/normal_5ff5dc7f41e56.pdf
    • https://cdn.sqhk.co/banibudofe/bifjbgf/jimigusagezo.pdf
    • https://cdn.sqhk.co/vutowogipu/gdif3jc/1921828611.pdf
    • http://hushseo.online/mapepitazefapewigdszi3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4e1f7043-982c-45dd-a9cd-fa70f59d8e73/geotechnical_engineering_principles_and_practices_2nd_edition_coduto.pdf
    • https://679cd94f-bb1f-411a-9684-d99498fe93d6.filesusr.com/ugd/ce16d4_3c54238f092845bd8c292d1e3a6853f1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/48c17684-ca72-4b64-a497-21dcc09b3910/fogudiguwotenulasavilisul.pdf
    • http://wemiwapava.epizy.com/lepikexudi.pdf
    • https://uploads.strikinglycdn.com/files/a5982f0d-efc8-4203-ac50-f61fb6bb7061/wahl_home_pro_basic_clipper_kit_uk.pdf
    • https://uploads.strikinglycdn.com/files/ac6d6487-2f00-4847-943c-99afd8846e13/2001_vw_beetle_owners_manual.pdf
    • https://uploads.strikinglycdn.com/files/ef31013d-4047-4ea1-b985-bdde075a14ac/74352663401.pdf
    • https://034618a9-9b39-4f41-ad18-95bca1d1c80b.filesusr.com/ugd/48d9a1_8bab31fc42274fa89b33b36a68f02947.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f25b.bin
9edf445caf434a0a00e06c1d16384706d824f5fce495e1ab9f1a91f079952699		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF25B 5600 bytes
font_01_sfnt_off0001054d.bin
8631d3986ddd4af53480809bb04652b842eadb8de61a631648bdfe8020ff9011		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1054D 11352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.