Malicious PDF — malware analysis report

Static analysis result for SHA-256 c809179449187f60…

MALICIOUS

PDF

78.6 KB Created: 2021-03-17 00:55:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 16b061ff1829b1e11a4bb4368c277539 SHA-1: d84a64bb4bf4eaaaae4dfcc8935f405387bc46ce SHA-256: c809179449187f604f5fe9e0086da69da1064eb36efdde98d2b58dd051c84d6b
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it is a link farm and a lure for invoices or payments. The embedded URL `https://lozipotod.ru/wix?keyword=fresh+direct+promo+code+march+2020` suggests a phishing or scam attempt disguised as a promotional offer. While no scripts were explicitly extracted, the PDF structure and the presence of external links are indicative of malicious intent, likely to redirect users to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wix?keyword=fresh+direct+promo+code+march+2020
    • https://javagakikidubat.weebly.com/uploads/1/3/0/9/130969576/maridizi.pdf
    • https://cdn-cms.f-static.net/uploads/4366639/normal_5fd9b13e6b7aa.pdf
    • https://cdn-cms.f-static.net/uploads/4469105/normal_601cd326f3888.pdf
    • https://xonodomewavewa.weebly.com/uploads/1/3/5/3/135316089/zoxirab_fekalabebob_sisavokot.pdf
    • https://luwojasog.weebly.com/uploads/1/3/1/3/131380471/bb99e08c9f192aa.pdf
    • http://tubipegutadob.iblogger.org/capillary_malformation_wiki.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4eea5d1a-689f-4d31-90b4-df3607557f4b/nonewikupe.pdf
    • https://uploads.strikinglycdn.com/files/a4dc9699-8f61-432a-8de1-18127e0aaa6c/xozusowuwowe.pdf
    • https://uploads.strikinglycdn.com/files/296c2785-f968-4e3e-9a38-0df2b32e58b0/2012_peterbilt_386_stereo_wiring_diagram.pdf
    • https://uploads.strikinglycdn.com/files/73685adf-3751-4f6b-9d27-831439035c9f/bojoxemimol.pdf
    • https://uploads.strikinglycdn.com/files/37662c2f-192b-4439-83e3-ff4724e8eb6a/crossfit_wod_app_ios.pdf
    • https://4dd4a32c-aced-41d2-87e6-7ff9ca8080d7.filesusr.com/ugd/6d6f33_86c3361d598c4336852566839f8a94a6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6362bedf-ea3a-4758-a353-0e63587401a4/99934961015.pdf
    • https://cf4de027-7369-46c2-bf93-d69cabef2b5e.filesusr.com/ugd/868b90_3f8842e492a44831b77b582e4cfe241e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7a685949-d974-4536-9317-3bfe733b7207/rhetorical_devices_examples_pictures.pdf
    • http://jabelakejirer.epizy.com/misebis.pdf
    • https://070488ba-e3d9-4c74-834b-445551f5513c.filesusr.com/ugd/fb83f1_971df7097e6f4fbebf41a9ac6eeda850.pdf?index=true
    • https://uploads.strikinglycdn.com/files/140538d5-3d20-4b85-9599-54489e5b1903/50971185073.pdf
    • https://uploads.strikinglycdn.com/files/4bf9ae6b-58b6-4119-902c-4bde6fc73616/gujarat_staff_nurse_exam_questions_and_answers_2015.pdf
    • https://uploads.strikinglycdn.com/files/0f9ea090-ea70-4fe2-b33b-e834f81ca394/dotazirojod.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f472.bin
67de5f7a6b66d2076118bfa3e3b674ec9928cab74d360fadda72c510fbe9272a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF472 5512 bytes
font_01_sfnt_off00010706.bin
c113dd6ce97b3f6467f9dedf07bbb1b67c2ca78f8fab1e4393341ae1c3ba01fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10706 11236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.