Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee771c7b1a22fc62…

MALICIOUS

PDF

75.2 KB Created: 2021-04-02 23:27:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 596bb47aa5ae574e8c22137b16ec9bfe SHA-1: d50c34ceaf5f497572c7481bde11213ce29559a7 SHA-256: ee771c7b1a22fc6200330754ca901909eb8a8f2edd178a0c2d43081b710e7a78
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are likely part of a link farm designed to manipulate search engine results. The primary malicious URL identified is https://nipisod.ru/strik, which is presented as a search result for a benign query. The ML classifier strongly indicates maliciousness, and the PDF structure suggests it's designed to drive traffic to external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=what+is+the+chemical+structure+of+olive+oil
    • https://degiviwab.weebly.com/uploads/1/3/2/6/132680905/5934089.pdf
    • https://kuvitoguke.weebly.com/uploads/1/3/0/8/130813837/d4c66b90f4c.pdf
    • https://cdn-cms.f-static.net/uploads/4418180/normal_6063e95431981.pdf
    • https://pefisidedufe.weebly.com/uploads/1/3/4/9/134902532/8c5c907e43b9.pdf
    • https://cdn-cms.f-static.net/uploads/4425501/normal_6028345c789db.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2f053692-1e83-42b7-a4f8-01d559f638bc/how_to_train_your_dragon_movies_and_shows_in_chronological_order.pdf
    • https://8cff94d3-ecab-4ea5-ad27-d3e67d02fd32.filesusr.com/ugd/2813e2_4874b11597a34ec0b77fc673167a460f.pdf?index=true
    • https://1923692e-f727-4f58-80a8-3583160180e3.filesusr.com/ugd/c4ccc4_54158ac92e3d4f16adf02a3094a679cd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3a6a298b-1cd2-44d9-88d6-25d4a2aa67da/conexant_audio_driver_windows_10_lenovo_g560.pdf
    • https://uploads.strikinglycdn.com/files/722af9af-11bc-4d0f-9aeb-59060d42b53a/what_size_battery_for_craftsman_riding_lawn_mower.pdf
    • https://uploads.strikinglycdn.com/files/19e9d76f-93c0-4db8-8625-eef3622236c2/how_to_pose_like_a_model_woman.pdf
    • https://uploads.strikinglycdn.com/files/cb6361b6-a437-481c-8e4f-5125e18c021d/how_to_reset_my_nordictrack_elliptical.pdf
    • https://uploads.strikinglycdn.com/files/74373cef-a90a-4122-95c1-b1fe1923f2ee/what_is_the_best_long_pole_hedge_trimmer.pdf
    • https://46d16763-6c5f-4e19-aa2c-3f4071fcbec2.filesusr.com/ugd/26f730_355367760c2148b0aecd43298d797323.pdf?index=true
    • https://504706c9-3a86-45eb-876a-6494ef133fff.filesusr.com/ugd/80c1db_8913029d5fce4c9bb1936dc03b979dcd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4bf278db-f3e8-4911-9db5-ade08b73f469/fimonexava.pdf
    • https://uploads.strikinglycdn.com/files/649be7c6-2a91-4e01-adbf-95b0bd4e5cdc/28172444143.pdf
    • https://eb72eaa1-ef55-40a3-a653-f6d21bccf295.filesusr.com/ugd/54913d_0f2831a356b5421292790b96e49d29cc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/342dc1d7-99c7-4356-b0f6-108e3c4a2286/gobegewi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea17.bin
76f14b7b3a0fcf80abefd7cb9cdd2042454db843cac8232314ced56dbe908ea4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA17 5192 bytes
font_01_sfnt_off0000fba7.bin
962700acfdd0731a5e59edd06638a2112c538182d30c6d7a49025c2e30a4f4db		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBA7 10712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.