Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdebd6ca1631437f…

MALICIOUS

PDF

73.9 KB Created: 2021-03-21 07:27:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 65c3fef04e113b71045d220a440b7342 SHA-1: 7a5e9c8fc2279f6b3da5203ffece108c2dfaba40 SHA-256: bdebd6ca1631437f37e114541520421d6b1eaab7ac4fd779aab4b735b70aaded
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including PDF_SEO_LINK_FARM and ML_NYX_PDF_MALICIOUS, indicating a high likelihood of malicious intent. The presence of numerous external URLs, particularly the one pointing to 'nipisod.ru', suggests a phishing or link-farming scheme. Although no scripts were explicitly extracted, the PDF structure and heuristic firings strongly suggest it's designed to lure users to external, potentially malicious, content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/123?utm_term=cat%25C3%25A1logo+c%25C3%25A9dulas+do+brasil+pdf
    • https://cdn.sqhk.co/zanudiwageg/Niin6jb/gender_pay_gap_reporting_guidance.pdf
    • https://cdn-cms.f-static.net/uploads/4464534/normal_603e3b47e9df0.pdf
    • https://cdn-cms.f-static.net/uploads/4446491/normal_605521df7039c.pdf
    • https://cdn-cms.f-static.net/uploads/4486965/normal_6019dbf4d82c5.pdf
    • https://cdn-cms.f-static.net/uploads/4471095/normal_604dcf30a61bc.pdf
    • https://static.s123-cdn-static.com/uploads/4462362/normal_5fefa5ef3f043.pdf
    • https://cdn.sqhk.co/fiseguvugele/h3gjiat/rameru.pdf
    • https://cdn-cms.f-static.net/uploads/4369907/normal_60367c63204ce.pdf
    • https://levapexufusetij.weebly.com/uploads/1/3/4/9/134904519/duvazidoritudana.pdf
    • https://fulopovesaj.weebly.com/uploads/1/3/0/7/130740112/vizitidideva.pdf
    • https://zoximubovug.weebly.com/uploads/1/3/1/3/131379564/wifepigoperofekuvo.pdf
    • https://cdn-cms.f-static.net/uploads/4501645/normal_6044f83e5bd6e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a98f38e8-5810-4fc9-be6a-c3d78c7c4f9f.filesusr.com/ugd/921909_0d3311f956d245aeafe558125a17e7f0.pdf?index=true
    • https://s3.amazonaws.com/zesixefe/bolobutowe.pdf
    • https://s3.amazonaws.com/dudujopixejikug/27686890607.pdf
    • https://s3.amazonaws.com/wakuzidi/rubijonexedule.pdf
    • https://s3.amazonaws.com/jutenojamega/drudge_report_whistleblower_identified.pdf
    • https://s3.amazonaws.com/jasadavebaga/guinness_nigeria_plc_annual_report_2010.pdf
    • https://a62e46b8-d933-4087-892c-e5439cec6991.filesusr.com/ugd/e9cba9_25c898f9eb4a413b8d9f853fe31812fb.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc1b.bin
85560c0ea10501b5171f4edb005d3150ddcfed047ec443f2377fb678cba09db9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC1B 5744 bytes
font_01_sfnt_off0000eeca.bin
9c3beb22cb0e78412fa6244fad3e8661471fad89e440469f118bfcc16bff2e34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEECA 13932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.