Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7b72bf40de1e2d7…

MALICIOUS

PDF

88.0 KB Created: 2021-03-05 14:59:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: 5b342e19ee904ae4b40601accceb1778 SHA-1: d207bc030422b4de0f64036dca696492ad48d7a9 SHA-256: e7b72bf40de1e2d74c2ec5aa273564cc264e3a7bd1e633b6a4ab32fee6c604c8
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was identified as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. Heuristics indicate the PDF contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO spam operation. One URL, 'https://nipisod.ru/strik?utm_term=php+html+hidden+input+array', is directly referenced, and another, 'http://gisoboxizaza.mygamesonline.org/6700377831.pdf', is highlighted as part of a link farm. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the overall structure points to malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=php+html+hidden+input+array PDF link annotation
    • http://gisoboxizaza.mygamesonline.org/6700377831.pdfIn PDF document text
    • http://pawomodom.medianewsonline.com/bevitiwidipabetoxovepofuk.pdfIn PDF document text
    • https://wuduzavuvavazi.weebly.com/uploads/1/3/4/6/134618101/dejafajilu_nugajukoro_wiforizajo_jetelulab.pdfIn PDF document text
    • http://gijofabenetawix.66ghz.com/74581753530.pdfIn PDF document text
    • http://tujugataro.22web.org/harbor_breeze_ceiling_fan_replacement_light_bulb.pdfIn PDF document text
    • https://tadinitalu.weebly.com/uploads/1/3/4/7/134744808/70690.pdfIn PDF document text
    • http://lusolakidareve.mywebcommunity.org/how_much_is_a_used_yamaha_baby_grand_piano_worth.pdfIn PDF document text
    • http://nageramuvepom.mywebcommunity.org/how_fast_can_a_rzr_170_go.pdfIn PDF document text
    • https://lobejimore.weebly.com/uploads/1/3/1/3/131383478/tabatalefure-fesukeze-febojerula-bijowipilez.pdfIn PDF document text
    • http://rozujed.sportsontheweb.net/pioneer_ddj_sx2_price_in_kenya.pdfIn PDF document text
    • http://safilow.iblogger.org/wisdom_of_solomon_chapter_7_kjv.pdfIn PDF document text
    • https://pomisefinare.weebly.com/uploads/1/3/4/9/134902228/livatubuparogi-wasitipasom-jowup.pdfIn PDF document text
    • https://bumobuzeki.weebly.com/uploads/1/3/4/4/134477779/1932426.pdfIn PDF document text
    • http://riforemepenog.iblogger.org/abyssal_sire_pure_guide.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://19f621d4-ab03-49b5-bf1d-c78de40104d4.filesusr.com/ugd/bc84a3_e3c230cfa7c744d29da1867a8e0d2e7a.pdf?index=trueIn PDF document text
    • https://52c77544-2eb8-427c-ad0e-a8a7e2ea9366.filesusr.com/ugd/93288f_6bb03f0df8724b968936c1c86c8dfb7e.pdf?index=trueIn PDF document text
    • https://98cdd5c5-c43e-49eb-9373-39517e896cbb.filesusr.com/ugd/90661f_d4243ece49a4491aae65ac35fe1b8f57.pdf?index=trueIn PDF document text
    • https://e0eedba4-cf99-4c42-97f5-d3f9ae5832dd.filesusr.com/ugd/e36ea7_a58907f97e96479cbe5a3ef9b3a0826f.pdf?index=trueIn PDF document text
    • https://81da36f4-dec6-4bf4-836b-19ed67500659.filesusr.com/ugd/5fd5c1_7b0c51a4ba7640a8984f43173a1366a3.pdf?index=trueIn PDF document text
    • https://538d8494-0c7d-401a-b890-0485f6bc7bca.filesusr.com/ugd/29c71c_cffac207aa50408ba2bf4e25dfec05fd.pdf?index=trueIn PDF document text
    • https://b56e00ce-d729-42e9-814b-b9a4b194f5ba.filesusr.com/ugd/f6f93f_eff4226154be4edea03a3a42fe5ed9fb.pdf?index=trueIn PDF document text
    • https://528a8416-53f4-4693-bcf0-540471887af1.filesusr.com/ugd/c3aa89_05c16a6f51374c169bd39e93bedad20d.pdf?index=trueIn PDF document text
    • http://kijaripejugap.epizy.com/kusilijupatitijurita.pdfIn PDF document text
    • https://4bf641bf-117a-4913-931f-55e49063997f.filesusr.com/ugd/5befcb_3fd629cefe2c4053b19e1b422c5dbe77.pdf?index=trueIn PDF document text
    • https://e49cd12a-7e53-4a25-9f98-ae37b5ff2e44.filesusr.com/ugd/35dc59_946138702e9a455784c238ae28815ff0.pdf?index=trueIn PDF document text
    • https://488c2ff9-9ff4-499e-8f11-525115e20b22.filesusr.com/ugd/8aba0c_250d635d871545aba629e68b53bbf6a5.pdf?index=trueIn PDF document text
    • https://989244f3-426d-4557-b4f1-0018dac9047c.filesusr.com/ugd/57c819_cf3a4efe78164895ab1fc33ca90972fb.pdf?index=trueIn PDF document text
    • https://1527c8d3-3321-4e9f-872f-e2bebb57bac2.filesusr.com/ugd/bf2d42_f052629db2854314a5036eb4075e1a4b.pdf?index=trueIn PDF document text
    • https://aed022ca-8a9d-452d-9022-56a74a585a14.filesusr.com/ugd/4d548e_f8dba5b2291d44e4a9e556da449951dd.pdf?index=trueIn PDF document text
    • https://b564fea6-732e-489f-a029-a72dc6590de2.filesusr.com/ugd/6a4619_aadeb87ac97c4d3183302193f89656c3.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011624.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11624 5124 bytes
SHA-256: f8966bcfca0820be19ae93faf0b6b966f66ea74fec2a6c109ce5723f4288b048
font_01_sfnt_off00012769.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12769 12872 bytes
SHA-256: 871ff38489997c55c51aba9a3712ef935d3c2648ae0e6483fdd042657b04eae6

Open this report in the interactive analyzer, or submit your own file for analysis.