Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccd24c61dceed7d0…

MALICIOUS

PDF

86.1 KB Created: 2021-03-14 01:11:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d16a68ffc1b5b896d967740875c07737 SHA-1: 18d403a05b09ace518cf7c69cf2827b2ffb70886 SHA-256: ccd24c61dceed7d0b4ba94de4736152f74d2ee9bd84d047960e64dba9023d9ec
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which are part of a link farm designed to artificially boost search engine rankings. One prominent URL, 'https://nipisod.ru/wix?keyword=root+explorer+apk+android+6.0.1', suggests a lure related to software downloads. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=root+explorer+apk+android+6.0.1
    • http://xuroriwonufuz.scienceontheweb.net/84600383638.pdf
    • https://static.s123-cdn-static.com/uploads/4467273/normal_5ff9baee70b3f.pdf
    • https://cdn-cms.f-static.net/uploads/4408336/normal_5fe693b727895.pdf
    • http://sunmarkt.ru/how_to_increase_volume_on_nortel_phone0hc5n.pdf
    • https://joletumutete.weebly.com/uploads/1/3/4/8/134871701/55871164c8825.pdf
    • https://cdn-cms.f-static.net/uploads/4390637/normal_5fd78e53adcfb.pdf
    • http://comp-arenda.site/79686140009b81be.pdf
    • http://f13x.xyz/que_significa_ser_pobre_en_espiritu1pupu.pdf
    • https://static.s123-cdn-static.com/uploads/4459176/normal_5fcb4b17ab4fb.pdf
    • https://nosevale.weebly.com/uploads/1/3/2/6/132683459/9865032.pdf
    • http://fabulouss.space/549630090355l2bt.pdf
    • http://static-start.top/real-_life_discipleship_training_manualupzlh.pdf
    • https://ranenowubugipo.weebly.com/uploads/1/3/4/0/134040983/vazegesuzelolazi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6d8b2927-5c4d-40df-b593-c6bd35e19528.filesusr.com/ugd/1adac8_53c63d5aef8b4400bff9c83cbcc29dab.pdf?index=true
    • https://5c82940c-2bbf-43bf-b7af-d756fa696080.filesusr.com/ugd/2e16aa_a5ded004db3540108db0a5fc5df193b2.pdf?index=true
    • http://jikelaxapexa.onlinewebshop.net/1391482238.pdf
    • https://673fcb93-492a-40d1-a7cc-77260b5c7816.filesusr.com/ugd/62d21a_5331ed866b2b4cacae6acb882c2939f8.pdf?index=true
    • https://56076a71-1b70-41e8-afe1-d547c394b4ee.filesusr.com/ugd/ab0d05_9a16f3c89c45406083477c55aaaa34b2.pdf?index=true
    • https://07f52280-50dc-49c2-beec-a2e30bf849d0.filesusr.com/ugd/7b8f90_bad055d004c54c7682ee80b62d83e21c.pdf?index=true
    • https://ab6f8c9b-e8ec-42e1-bac7-79d473d9b692.filesusr.com/ugd/94e5ef_33b32738fb3c43b9816cfc7adb753d7b.pdf?index=true
    • https://24218389-b518-4ca3-8548-65eaf758daa4.filesusr.com/ugd/c836c3_653348635db74390ae426bed09431469.pdf?index=true
    • https://c145ee04-3c3b-4786-8b94-e0511401b322.filesusr.com/ugd/de65f7_35f6b8e634ca4c7a84862354c6c1cf0e.pdf?index=true
    • https://4ac36a2f-1533-488b-b282-cf34cdace458.filesusr.com/ugd/bcfc12_ba6e98462300485fbc4a4bba5ff27f62.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fcd5.bin
b6e74fb45aa386b95a642c3d6b1d25e9e70888656b280ad34747d5218fa4842c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCD5 5292 bytes
font_01_sfnt_off00010eef.bin
a8e3d72e23c13e765d38d8d0a57fbc55fb40aa9564d6f27ba9ea89341980f5b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EEF 11108 bytes
font_02_sfnt_off0001350f.bin
13cb96fbf270e4bf889250bca28505ea82398e8b2fb2d3627afbedae2b2c618f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1350F 16168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.