Malicious PDF — malware analysis report

Static analysis result for SHA-256 17fc9092f004892f…

MALICIOUS

PDF

114.0 KB Created: 2021-03-31 21:03:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 239c9c8796ea63769d5b4c2ad02c5cc1 SHA-1: 764d89a049dbb24095735a78601427390a33923d SHA-256: 17fc9092f004892f890d465c87293fa0b08ab28a3177add882ec788c1ac7005f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The embedded URL 'https://pelibifir.ru/award?keyword=teoria+epigenetica+pdf' suggests a phishing or scam attempt, likely designed to trick users into downloading further malware or revealing sensitive information. No scripts were extracted from this sample, but the presence of external URIs points towards a downloader or redirector functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=teoria+epigenetica+pdf
    • https://dizuvojuxi.weebly.com/uploads/1/3/1/1/131163617/802108.pdf
    • https://gilinolejokakis.weebly.com/uploads/1/3/4/6/134632374/bigutizid_nirer_laxupowobuvote.pdf
    • http://tafuxasomup.getenjoyment.net/accounting_standards_in_marathi.pdf
    • https://kunobile.weebly.com/uploads/1/3/4/5/134517695/7907963.pdf
    • http://jerugujekema.getenjoyment.net/deloitte_case_study_example.pdf
    • https://cdn.sqhk.co/kivipemo/uhaPgjX/fire_alarm_testing_report_format.pdf
    • https://cdn.sqhk.co/fepotifomowa/bhd11jc/playstation_experience_2019_location.pdf
    • http://witomemu.scienceontheweb.net/cumulative_frequency_histogram.pdf
    • http://vofufime.mypressonline.com/vodijawozumesapifutod.pdf
    • https://cdn.sqhk.co/diruzatojep/l7L7yOO/guild_wars_2_class_choosing_guide.pdf
    • https://boburebapexew.weebly.com/uploads/1/3/4/5/134597485/9929329.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e0205564-c2ae-4316-879c-c872863d66a3/safatisowex.pdf
    • https://s3.amazonaws.com/moduluzuxikari/50651185366.pdf
    • http://guseboses.atwebpages.com/75571970787.pdf
    • https://uploads.strikinglycdn.com/files/b2420083-a922-465b-a1f0-7107d72b67c5/emergency_medicine_physician_jobs_texas.pdf
    • https://uploads.strikinglycdn.com/files/45a1bcda-928d-4f38-ba84-0488fe7a2cdf/83284333664.pdf
    • https://s3.amazonaws.com/guvovigo/sojujexekunomanibokude.pdf
    • https://s3.amazonaws.com/wudibirewuduto/kathi_tamil_video_songs_mp4.pdf
    • https://uploads.strikinglycdn.com/files/6376f8e3-73f7-4292-8a28-d4b5e2b8bfb9/78610500632.pdf
    • https://uploads.strikinglycdn.com/files/c5de7b1e-f1af-4576-97ad-d2e56e3f9d8b/naxunufasarutozoxu.pdf
    • https://s3.amazonaws.com/vufuzewasi/how_much_did_the_narnia_cast_get_paid.pdf
    • https://s3.amazonaws.com/rebesudanolo/34069943155.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017d49.bin
e670a5196d9572e0b7e8a3e57e5a2add66d709a8a0cd084e0a70262bd45f1881		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17D49 5060 bytes
font_01_sfnt_off00018e90.bin
665e4ea518cf7e950313bbbd4854878f7308498f092cc7015bb67a14d84e239e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18E90 13980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.