Malicious PDF — malware analysis report

Static analysis result for SHA-256 d25434ae841d3b4d…

MALICIOUS

PDF

87.9 KB Created: 2021-03-23 14:03:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a7e84c8513034c2d8d71b1a2f03809c2 SHA-1: d55fb4f7f8e22f8536774ca319feafc8c5870459 SHA-256: d25434ae841d3b4d8610d49e94d8127d3f7d1345e0b2290cbc3759ede433c831
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, with the primary suspicious URL being https://lozipotod.ru/award. The ML classifier and ClamAV both flagged this PDF as malicious, indicating a phishing or trojan-like behavior. While no scripts were explicitly extracted, the PDF structure and extensive external linking suggest an attempt to redirect users to potentially harmful content or engage in SEO manipulation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=applied+mathematics+bsc+it+sem+3+pdf
    • http://xonukab.22web.org/autodesk_revit_2020_mep_fundamentals.pdf
    • http://dusibarupuguli.medianewsonline.com/i_would_always_rather_be_happy_than_dignified_traduzione.pdf
    • https://mopirolelawa.weebly.com/uploads/1/3/4/0/134012876/9fbb569920a1.pdf
    • https://bonikelebosobi.weebly.com/uploads/1/3/2/8/132814552/7827214.pdf
    • https://xegugunozom.weebly.com/uploads/1/3/1/4/131482992/0015236c7.pdf
    • https://static.s123-cdn-static.com/uploads/4367302/normal_5ff715c4cf5d9.pdf
    • https://cdn-cms.f-static.net/uploads/4491412/normal_602d9ea78b372.pdf
    • https://lasezafokovopar.weebly.com/uploads/1/3/5/2/135294620/gudopikowilawodemo.pdf
    • https://cdn-cms.f-static.net/uploads/4447093/normal_5fd856214093b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://pasulupumorowim.myartsonline.com/likisagalawoxi.pdf
    • https://s3.amazonaws.com/numunenoji/utilitech_3-outlet_digital_countdown_lighting_timer_instructions.pdf
    • https://s3.amazonaws.com/gelawiweza/26678351866.pdf
    • http://xanuravafobim.rf.gd/zusera.pdf
    • https://d6b7b3c7-8429-4d82-9d75-5d5d09e763cc.filesusr.com/ugd/a8c229_facad3266b144181a0e6a13a20b497bb.pdf?index=true
    • https://66166ed5-207d-48ad-a5ac-83b7e977862f.filesusr.com/ugd/0d0d42_7e4e0c4ccacd4c60b5efb91064ab4727.pdf?index=true
    • https://1094d5c0-a920-47c7-a1de-7e2d56a92d84.filesusr.com/ugd/47b1e8_3140e0a1100f4531a05b5af0e30b5b89.pdf?index=true
    • http://sowiriged.rf.gd/59576923212.pdf
    • http://girofili.myartsonline.com/evh_5150_iii_50w_el34_combo_1x12.pdf
    • http://ralanoregon.epizy.com/53420818067.pdf
    • https://01d67eed-50ba-4ccb-8f82-c1581f7ed07e.filesusr.com/ugd/e3325f_021f1b2f1e244baf9abe41cd83e8aa28.pdf?index=true
    • http://lopafulobitap.atwebpages.com/notipazorufoko.pdf
    • https://s3.amazonaws.com/zerejibixupav/game_football_manager_offline_mod_apk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010cd9.bin
b06ee8b315a946664fb36a295d02e652ff2d7f0b974e713bc5bee8deba5d79aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CD9 5164 bytes
font_01_sfnt_off00011e61.bin
c64180c0f3c3ec4649d624024550474de99ec35c0151a78986bf619080f49882		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E61 11180 bytes
font_02_sfnt_off000143e4.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x143E4 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.