Malicious PDF — malware analysis report

Static analysis result for SHA-256 09d98b3a253c2153…

MALICIOUS

PDF

76.3 KB Created: 2021-03-17 05:36:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f35744cf8000ce5773c5d9d225bb010d SHA-1: d95717d8e55e9aa39d550903bc19b02320e28829 SHA-256: 09d98b3a253c21530df3630264cdb8753546ae7e3eed18d6abda126398ef1bcb
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating embedded URLs and is flagged by a machine learning classifier and ClamAV as malicious. The document body, though heavily obfuscated, suggests a lure related to 'Ar 15 schematic parts poster'. The primary malicious URL identified is https://nipisod.ru/strik?utm_term=ar+15+schematic+parts+poster, which likely serves as a phishing or malware distribution point.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=ar+15+schematic+parts+poster
    • http://fodekofuxuvum.sportsontheweb.net/fewufikofit.pdf
    • https://cdn.sqhk.co/wekaradukuve/jiGaFSi/nopibalemedobopifaputivog.pdf
    • https://cdn.sqhk.co/podidiwi/E7ijjar/xesazizifakura.pdf
    • http://letinebab.mywebcommunity.org/8510766014.pdf
    • https://cdn.sqhk.co/walumupo/cjeiige/onkyo_hf_player_unlocker_apk_download.pdf
    • http://tokesuditetu.getenjoyment.net/atresia_esofagica_en_neonatos.pdf
    • https://cdn.sqhk.co/gizoxemovefi/gdh0uha/racing_car_2_player_free_games_online.pdf
    • https://cdn.sqhk.co/fukefipemuw/jjigWjg/rujegowevinagavonodepov.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://1fa67a36-2e8b-44cc-a955-751d80433762.filesusr.com/ugd/d85e51_c240546b82b04baebf187c090c5cb139.pdf?index=true
    • https://a9f3490c-def6-45ea-9957-aefa341d54bd.filesusr.com/ugd/84b587_989d125bbf1f4c89a5e19514711d635b.pdf?index=true
    • http://xomutojekes.myartsonline.com/assembler_des_en_ligne.pdf
    • http://biburusig.myartsonline.com/46674715595.pdf
    • https://s3.amazonaws.com/kokesatodixon/world_globe_map_template.pdf
    • http://kaloruligot.onlinewebshop.net/2014_taotao_110cc_atv_carburetor.pdf
    • https://2e6726a7-2e78-456a-9fa1-8bc85c3b20a6.filesusr.com/ugd/76e31d_028deb8cbc7d4688bbcfafb0edb35d0f.pdf?index=true
    • http://lutepotazor.onlinewebshop.net/600_essential_words_for_the_ielts.pdf
    • https://f8b2de7a-6012-4721-b8f1-df5267d6bb95.filesusr.com/ugd/8ebb60_4d2b8e426dae482296a4796255d6f4d4.pdf?index=true
    • https://91ca87c2-c493-4616-adaa-fbcec45394e1.filesusr.com/ugd/6116da_585876be9b3c445db6803d06932a5b05.pdf?index=true
    • https://s3.amazonaws.com/bifamomove/16305916773.pdf
    • https://4c2674ec-1430-4cec-a455-d6a35d10586e.filesusr.com/ugd/38955b_7e933d9ecf6a4be88c66a7388d815ee4.pdf?index=true
    • https://e1cd7dcf-8988-4be8-9b1a-722367337987.filesusr.com/ugd/6203b9_2fa3900bb777409ba7377eff05d9f4ac.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb8b.bin
d02abe823fa8ac05e773388ff54f0c34c2478d98c60470324a47e5176bbc8b37		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB8B 5304 bytes
font_01_sfnt_off0000fd78.bin
022dc1e1e0c46454af47efb89464e17a7eda5fee972587274f542cc30342f380		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD78 11392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.