Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdcaa88f992fd605…

MALICIOUS

PDF

159.9 KB Created: 2021-04-08 09:22:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 574430e8ff4a278aa34c973b30de3964 SHA-1: d151471cc04c97afc8332c753d4888b95261030b SHA-256: bdcaa88f992fd6055eda6a99e2e1bf5bb7294d7aa14b935dec5c13587f9312bc
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains an embedded URL pointing to a suspicious domain, likely intended for phishing or malware distribution. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document likely instructs the user to open a password-protected archive, a common tactic to bypass security filters. ClamAV detection further confirms its malicious nature, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=still+alice+netflix+nz
    • https://cdn-cms.f-static.net/uploads/4489969/normal_5fe6b455762e2.pdf
    • https://static.s123-cdn-static.com/uploads/4447098/normal_5fecb0b6e1205.pdf
    • https://cdn-cms.f-static.net/uploads/4469135/normal_60565bbcb959c.pdf
    • http://vandify.com/cv_administrateur_systeme_windowsftkrg.pdf
    • https://cdn-cms.f-static.net/uploads/4392441/normal_5fd243f499517.pdf
    • http://tur8osale.site/jemodokerenolosaxaxuzeleo0v3r.pdf
    • https://cdn-cms.f-static.net/uploads/4381297/normal_6013343b3534b.pdf
    • http://steblin.pro/good_transition_words_to_start_a_conclusionwwkv9.pdf
    • http://fomamiforepu.22web.org/happy_birthday_bhaiya_whatsapp_status_video.pdf
    • http://mangalvpodarok.ru/10235179736kpq0k.pdf
    • http://chambreop.xyz/96075053964flvy0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://0a497e50-07dd-462d-832d-d8678f741a8e.filesusr.com/ugd/5f857b_a1b8f77563f3488ca0f727900bddf9ba.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d2b35280-2f0f-4e39-bfb6-b5d3dcd4aff1/bowumixagogutojofopuxe.pdf
    • https://b8436764-02b3-4471-8711-1e8fed235cf0.filesusr.com/ugd/3b3fbb_c036f57fabb6468596962c21558a4311.pdf?index=true
    • http://rujomomox.rf.gd/buwozixisapodako.pdf
    • https://abbf68a8-5b21-4996-91be-11266bd273ed.filesusr.com/ugd/9374a7_341dd2b1b5f642e0afc3ff368bfed114.pdf?index=true
    • http://webewizago.epizy.com/trusting_god_even_when_life_hurts_free.pdf
    • https://ad323f3e-245e-4e3c-8b16-de91fefec063.filesusr.com/ugd/5ea691_7710fcb234304131966bc2ca0823a1e5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a6491d4b-a99f-40dd-be29-5391dc813466/el_reino_de_este_mundo_resumen_del_capitulo_1.pdf
    • https://s3.amazonaws.com/wulagisi/introduction_to_compound_light_microscope_lab_report.pdf
    • https://uploads.strikinglycdn.com/files/42fdaf13-2bdd-4278-825a-b4bf616f2505/aw_tozer_devotional.pdf
    • https://01c19f78-c7d0-441a-b56a-8672493f87de.filesusr.com/ugd/9d66c7_0b6236a38bc54d7582576e87ad780ff2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6c5259fe-97b4-444e-8ddc-c10ec0f214ae/7262832521.pdf
    • https://uploads.strikinglycdn.com/files/c3b14bc8-9ce5-4982-9fd3-8a8e9640314c/is_aeronautical_engineering_a_good_career_in_india.pdf
    • https://s3.amazonaws.com/tedowafomaru/fundamentals_of_statistical_and_thermal_physics_by_f._reif.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00023849.bin
221bb0a435da51f0a2f46c7a0336c05ce224bd68b82365b765070808f7defb66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23849 4824 bytes
font_01_sfnt_off000248d9.bin
2cd5f03cd6c631f6f94def107249d0f3a506db1179708ee56957dd177c99ac3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x248D9 12044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.