Malicious PDF — malware analysis report

Static analysis result for SHA-256 cdfec8961947c98b…

MALICIOUS

PDF

73.6 KB Created: 2021-04-04 23:39:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d52f8edc98d0376795a73a4ff6b807b8 SHA-1: d4ede2441718829e487a06d1f57ea6d983b66c8d SHA-256: cdfec8961947c98b7d4b99d89d162e53fcb0bac5631d4a37c40d7a5ce13c6b1e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying a link farm. One of the primary URLs, 'https://nipisod.ru/award?keyword=canales+de+venta+pdf', appears to be a lure for malicious activity. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or distributing further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9275

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=canales+de+venta+pdf
    • https://cdn-cms.f-static.net/uploads/4404528/normal_603e783e0e26f.pdf
    • https://xegugunozom.weebly.com/uploads/1/3/1/4/131482992/7a760b41763f1.pdf
    • https://wufisosudima.weebly.com/uploads/1/3/0/8/130874090/4f87524ae52.pdf
    • https://cdn-cms.f-static.net/uploads/4390068/normal_5fd64e4016915.pdf
    • https://cdn-cms.f-static.net/uploads/4416802/normal_6029c591f0eea.pdf
    • http://poputitekokukad.iblogger.org/27249709366.pdf
    • https://wilasumoleliwu.weebly.com/uploads/1/3/1/4/131414134/mofejowotitusebosig.pdf
    • https://static.s123-cdn-static.com/uploads/4371505/normal_5ffe81996c9f0.pdf
    • https://static.s123-cdn-static.com/uploads/4422643/normal_6003e60944b3e.pdf
    • https://cdn-cms.f-static.net/uploads/4385228/normal_60328e8fa1701.pdf
    • http://sozikibonoda.iblogger.org/16482612891.pdf
    • http://juvugewit.iblogger.org/what_oil_does_a_dodge_durango_take.pdf
    • https://cdn-cms.f-static.net/uploads/4496824/normal_5fdab8a617333.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/mizeteb/android_17_cosplay_tutorial.pdf
    • https://s3.amazonaws.com/meludav/57450356000.pdf
    • https://s3.amazonaws.com/mikibetiv/42625333230.pdf
    • http://vazavaxajude.rf.gd/12995049150.pdf
    • https://s3.amazonaws.com/gomakobez/72852851732.pdf
    • http://dabububulakam.rf.gd/comparing_and_contrasting_mitosis_and_meiosis_worksheet.pdf
    • https://s3.amazonaws.com/woberiz/sinip.pdf
    • https://s3.amazonaws.com/mokixetat/anker_a7908_not_turning_on.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f22a.bin
cd4307cca9ce8f7c1a013e57bad31b8b9ab0069e46e4542dd8ec91dee8e3fff0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF22A 4904 bytes
font_01_sfnt_off000102f3.bin
743ba86373b89ab4a1ea7ffd9e170da9e5044145bae6dcae33fa59d25dcfc2d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102F3 11252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.