Malicious PDF — malware analysis report

Static analysis result for SHA-256 c736867aa5857018…

MALICIOUS

PDF

75.3 KB Created: 2021-03-11 11:37:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 50fedb9dfd1f305ee6159ca0a37f734e SHA-1: e74d967fa766a7844a51ab4ea6563b0e027bf8e1 SHA-256: c736867aa58570182fde4f565a29e0104dc0f6d48d1be19f1d875e41705fc178
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one prominent URL pointing to a suspicious domain ('nipisod.ru') that is likely part of a link farm or phishing campaign. The ClamAV detection and ML classifier strongly indicate malicious intent, classifying it as a phishing trojan. While no scripts were directly extracted, the PDF structure and extensive external links suggest it's designed to redirect users to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=affidavit+of+loss+atm+card+pdf
    • https://cdn-cms.f-static.net/uploads/4404741/normal_604850181e74c.pdf
    • https://nivujetomut.weebly.com/uploads/1/3/4/7/134753784/nedovujevusi.pdf
    • https://static.s123-cdn-static.com/uploads/4409421/normal_5fe18cd443519.pdf
    • https://dilipifoson.weebly.com/uploads/1/3/1/0/131070096/boropoxopoma-jekobetazas.pdf
    • https://cdn-cms.f-static.net/uploads/4450878/normal_60379fe6692be.pdf
    • https://static.s123-cdn-static.com/uploads/4467287/normal_5fefee0d4a062.pdf
    • https://kexefofivib.weebly.com/uploads/1/3/5/3/135305266/rizigikun.pdf
    • https://jelirakiwovul.weebly.com/uploads/1/3/4/8/134867041/zotefeninutason.pdf
    • https://lutunorozepilaw.weebly.com/uploads/1/3/1/4/131438778/9303957.pdf
    • https://padawevuwelidas.weebly.com/uploads/1/3/1/4/131438111/gukeweliluliwed.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/rudelazifizuvo/income_and_expense_template_for_rental_property.pdf
    • https://s3.amazonaws.com/tufitijinexu/95475511217.pdf
    • https://s3.amazonaws.com/zalisujezajaje/bibliografa_formato_apa_sitio_web.pdf
    • https://uploads.strikinglycdn.com/files/068eddfb-1158-4b7b-8457-84ba505a3aa6/garudorubajoz.pdf
    • https://0fc0baf9-b884-4fcd-968e-f93c0f938930.filesusr.com/ugd/68ec51_e91097a52e474bf58dbbe911446844b1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2d6787b3-fc67-4caf-8f2c-dae9c4f3099b/python_video_tutorial_for_beginners_free_download.pdf
    • https://uploads.strikinglycdn.com/files/2b09d333-9b63-4184-abd3-e826563b3831/2950434833.pdf
    • https://s3.amazonaws.com/ziwuvijevo/87062992827.pdf
    • https://uploads.strikinglycdn.com/files/62648ce8-c6d1-4722-a03c-acc368da2ca3/how_to_setup_epson_wireless_printer_wf-3620.pdf
    • https://e0f910ba-f4aa-4d6b-87f6-24d78cda99ab.filesusr.com/ugd/cc15ef_120cf01196ef4758b373e1cf046eb7fb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/49dab72d-0147-4231-afa9-9391d62e72e1/free_python_tutorial_video_series.pdf
    • https://s3.amazonaws.com/feborobegibew/kipawesagujowepexuwalur.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9d6.bin
b81a48f35601b51fb43afb57efef3e616c1f26f074df8d5e5f07b5bb4bf49b43		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9D6 5352 bytes
font_01_sfnt_off0000fc00.bin
ff46996d80a6c8fcbb2bdc8d1a4a28f43374238bb595d62b606f15863b309d71		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC00 10424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.