PDF malware analysis — malicious · 1089984ce5fa83d5

MALICIOUS

PDF

80.9 KB Created: 2021-03-10 11:47:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d271bc156a9a93cdd0d16d1668c9d037 SHA-1: d4825b543894c247ba979207148ad47d5f27b9bd SHA-256: 1089984ce5fa83d5df0d9b0b561fd87dc9e293e87c4ca27aa367d0effaa02af1

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains a lure related to a "Simpson pressure washer manual". It embeds external URIs, with the highest priority IOC being https://nipisod.ru/strik. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nipisod.ru/strik?utm_term=simpson+pressure+washer+manual
- https://cdn-cms.f-static.net/uploads/4418791/normal_5fd9abfd14c24.pdf
- http://jumpfs.space/herman_miller_aeron_used_melbournewbdqt.pdf
- https://cdn-cms.f-static.net/uploads/4412773/normal_603969a646a90.pdf
- https://static.s123-cdn-static.com/uploads/4374957/normal_5fe2f84156e18.pdf
- https://static.s123-cdn-static.com/uploads/4408976/normal_6002c5fe7a31d.pdf
- https://static.s123-cdn-static.com/uploads/4452853/normal_5ffae95387e64.pdf
- http://policyhelpcenter.com/42804310555am20j.pdf
- http://artdebug.site/interaction_1_reading_answer9vzri.pdf
- https://static.s123-cdn-static.com/uploads/4383795/normal_60049083b1263.pdf
- http://parrrtner.xyz/mikorisokerawinakuwume3lmo5.pdf
- https://cdn-cms.f-static.net/uploads/4401982/normal_60458073649bf.pdf
- https://cdn-cms.f-static.net/uploads/4501777/normal_6031e0efdb9ac.pdf
- https://cdn-cms.f-static.net/uploads/4424672/normal_6031c205197d2.pdf
- http://copyrighytsupport.com/clean_install_skyrimzqaim.pdf
- http://milesnires.xyz/what_is_a_student_information_sheetlplww.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/vososasoxumete/2661869214.pdf
- https://s3.amazonaws.com/pilazi/86864265473.pdf
- https://s3.amazonaws.com/xaliwalufoguni/winrar_5._01_full_keygen.pdf
- https://s3.amazonaws.com/tokatefozude/a_b_s_t_ki_full_form.pdf
- https://s3.amazonaws.com/genukopapovixo/cnbc_reporter_salary.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000fee2.bin` `d39cccb15ed886ff91d65ba382673907fbaff6c7242f26b9342a29d83d60ec39`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFEE2	5256 bytes
`font_01_sfnt_off0001109f.bin` `73ce70ef03da756cd9492262fef377ffe1a84c65b4613f5239f0320567869b6e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1109F	11216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.