Malicious PDF — malware analysis report

Static analysis result for SHA-256 caa4a465203f82c7…

MALICIOUS

PDF

84.8 KB Created: 2021-04-12 16:46:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3c2f8d0ce675ca03a4c99a136fb84040 SHA-1: 7512c1be3c19a39c32adc716a046de4950b814e1 SHA-256: caa4a465203f82c7bb19f368dfe31ada5bc38c2a5029557fe17f759b1e4902ab
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many of which are to obscure domains, suggesting a link farm or phishing operation. The primary malicious URL identified is https://nipisod.ru/strik?utm_term=chevy+cobalt+repair+manual, which is likely used to host malicious content or redirect to a phishing site. The document body is heavily obfuscated and appears to be a lure related to a 'Chevy cobalt repair manual'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=chevy+cobalt+repair+manual
    • https://salexutoxor.weebly.com/uploads/1/3/4/7/134761189/metexixegak.pdf
    • https://kepijifawobi.weebly.com/uploads/1/3/5/3/135388201/4299451.pdf
    • https://vavaterojitenoj.weebly.com/uploads/1/3/4/8/134898986/4d0f0c08c.pdf
    • https://dituwugo.weebly.com/uploads/1/3/4/2/134235792/mogip_petawumefopim_xebejodu_fibixutekazezef.pdf
    • http://janurikemodowu.iblogger.org/9241448274.pdf
    • http://raboleziwuga.iblogger.org/stock_markets_futures_real_time.pdf
    • https://renixopofofof.weebly.com/uploads/1/3/4/4/134486295/bf87dc869a4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b615eccc-4413-4b1d-8109-ede925130a83.filesusr.com/ugd/0994f9_b12b183bb5a344fba84415ba024201da.pdf?index=true
    • http://vimiromomekex.epizy.com/parker_condensate_pot_installation_guide.pdf
    • https://uploads.strikinglycdn.com/files/644b057c-5422-4d20-97fc-42fdbc9031d8/face_model_3d_apk_download.pdf
    • https://uploads.strikinglycdn.com/files/11977f4b-704d-49bb-9715-932246e488b3/would_you_rather_questions_for_teenage_girl.pdf
    • http://limaxajavo.epizy.com/learn_kivy_python.pdf
    • http://kakogajoxe.epizy.com/zorotilewixujibunijaf.pdf
    • https://s3.amazonaws.com/voropa/tefal_uno_deep_fryer_instructions.pdf
    • https://uploads.strikinglycdn.com/files/64e200e3-8b7b-4850-aa21-807ad3dc231f/oracle_sqlplus_the_definitive_guide.pdf
    • https://1b53f64c-3596-40ff-86ea-95cec8902569.filesusr.com/ugd/838e7e_717d8995d3194bc8994f9734f1fd5f1b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cfc40108-9415-473e-ab0e-311a04d85da6/39386538743.pdf
    • http://delixerilebuk.epizy.com/bissell_spot_clean_proheat_portable_spot_and_stain_carpet_cleaner.pdf
    • https://0aed7b51-d02b-4864-a6bb-b478bb809667.filesusr.com/ugd/fbdaab_b608d74636d4481287dafd65492093ec.pdf?index=true
    • http://xumizimewimapa.epizy.com/equivalent_resistance_problems_class_10.pdf
    • http://dakelajipupak.epizy.com/calling_sehmat_book_download_free.pdf
    • https://s3.amazonaws.com/novipaliwid/core_java_projects_using_swing_free.pdf
    • https://be08d7d4-326a-4801-be9d-4496af17a43b.filesusr.com/ugd/d31907_023b32cada934614b9dda0f97ef8c6a0.pdf?index=true
    • https://2a984544-7cb8-4a4d-9f60-e686f7994e39.filesusr.com/ugd/1434d3_296f437ff9c8438bac7be1e9a0734f59.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010d08.bin
4fad0f2eefbc30739caccc523333af32e8ade72ffb60c2cae4ab6bbc251b1d4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D08 5200 bytes
font_01_sfnt_off00011e98.bin
6e857a718796d2e73ca4d1ca3557eac352cb5e8ae6d36afe787fd12647ba55ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E98 11476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.