Malicious PDF — malware analysis report

Static analysis result for SHA-256 d274600e4f6b44e5…

MALICIOUS

PDF

78.8 KB Created: 2021-06-02 14:02:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-13
MD5: 863631dc8003f031af8ecd8c75e7c940 SHA-1: db00c522d3757858b4ff9c2ce3e72f3b76cd0e46 SHA-256: d274600e4f6b44e5b7739dab3651b6cee64b5cfeda92f742c3c83c3194a21b1c
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a lure related to an audiobook, redirecting to the URL 'https://nipisod.ru/wb?keyword=confess%20colleen%20hoover%20audiobook'. This URL is flagged as an SEO redirector, indicating a phishing or malware distribution attempt. The presence of a high-severity heuristic for 'WEBSHELL_PHP' suggests that the linked site may host malicious code. ClamAV also detected this file as 'Pdf.Phishing.Trojan'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PHP webshell / backdoor source high WEBSHELL_PHP
    The file contains PHP server-side code with the signature of a webshell/backdoor (request input fed to a command/code-exec sink). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wb?keyword=confess%20colleen%20hoover%20audiobook PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4379615/normal_6031ee54aeed7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4423137/normal_5fe6b138f1f73.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414152/normal_60313e30cdaf4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4445731/normal_5fe8eced1d2fc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4413126/normal_5fc6cf3ac3690.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381539/normal_6067d0cb473eb.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://pupowivala.pbworks.com/f/spss_survival_manual_julie_pallant_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/31c0568b-5eec-45de-8cce-78bebfd76c97/bofigominube.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1125c592-566e-4452-97de-165ed678d9b2/30334401782.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2bdd00c-60ca-478d-a434-52279762b1de/what_is_abstract_noun_with_example.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c48534da-b0c9-4576-a081-30918f0a4e18/kotavobigejadotali.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/677c2507-7ffb-4e8a-907e-b655c1b69b49/8015950515.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d7c6a467-dbdb-4f1e-847e-90a87a5d96b8/juxonitanimej.pdfIn PDF document text
    • http://liwuvedesisu.pbworks.com/f/26250361974.pdfIn PDF document text
    • http://biwonuv.pbworks.com/w/file/fetch/144467982/laccord_de_ladjectif_qualificatif_exercices_cm1.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b7bcdf02-1ef0-4f31-9d40-2472f3f88738/master_kerosene_heater_e1_error.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2ff7d9df-a1a4-439a-acb3-6cd2129b0cfb/the_great_depression_definition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/964bb0d9-b7a0-47b6-a294-56d1df644c2f/http_sciencespot.net_metric_mania_answer_key.pdfIn PDF document text
    • http://kepojijudiva.pbworks.com/w/file/fetch/144506193/how_to_tell_if_a_guinea_pig_is_dying.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0af5fac3-9bb9-4daa-949c-7e0138d80f3e/black_ice_skin_rainbow_six_siege_price.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e29f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE29F 5280 bytes
SHA-256: 0b8b2be91a5b733d918665de37c1a33b08f950efa34ebe9fdc5b1381bec32077
font_01_sfnt_off0000f48d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF48D 10448 bytes
SHA-256: 9c10cfe0a086787b5bc7205807845b29f0d69e89d3699e30c111429a3fa93610
font_02_sfnt_off0001188a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1188A 16144 bytes
SHA-256: bdb498a84294d2700f74802134fcccbe9562d64435b5e6d8d4f3fb931e33cb92