Malicious PDF — malware analysis report

Static analysis result for SHA-256 1df58fb5457ed8b7…

MALICIOUS

PDF

78.2 KB Created: 2021-03-23 11:42:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1b91f6f1a122cb024179cb37ef0c722e SHA-1: 08114820405ee50838852f996f9ed80db7e0ed32 SHA-256: 1df58fb5457ed8b7ef02985b0e87dfc4902f88c65e457139f1e7ef46302009fb
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL pointing to 'nipisod.ru', which is likely part of the phishing lure. The document body, though heavily obfuscated, suggests a theme related to barcode generation, which is used to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=generate+barcode+itext+pdf
    • https://cdn-cms.f-static.net/uploads/4376120/normal_601b7dca8a387.pdf
    • https://static.s123-cdn-static.com/uploads/4415537/normal_5fca752b23181.pdf
    • https://cdn-cms.f-static.net/uploads/4417669/normal_6014e3a2424b3.pdf
    • https://static.s123-cdn-static.com/uploads/4456140/normal_5fcfa479bc4d0.pdf
    • http://tonilukibifed.iblogger.org/delomado.pdf
    • https://cdn-cms.f-static.net/uploads/4473340/normal_604e18171e0ce.pdf
    • https://cdn-cms.f-static.net/uploads/4490738/normal_602c9f8849efb.pdf
    • https://static.s123-cdn-static.com/uploads/4408866/normal_60072668571bf.pdf
    • https://cdn-cms.f-static.net/uploads/4491151/normal_600aa623764cf.pdf
    • https://static.s123-cdn-static.com/uploads/4465015/normal_5ffe50071d493.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2667bfa8-302f-47ea-b1b2-6609ae32438c/putting_the_one_minute_manager_to_work_free_download.pdf
    • http://tatasoge.epizy.com/brushed_cotton_bedding_fitted_sheets.pdf
    • https://uploads.strikinglycdn.com/files/e6b4fb90-a7a5-4bdc-86b3-ef3fd4e57049/does_toshiba_smart_tv_have_android.pdf
    • http://sedoguzod.rf.gd/23501798777.pdf
    • https://uploads.strikinglycdn.com/files/8ad2887e-5020-4f4b-8588-62743553b62c/24409369627.pdf
    • https://uploads.strikinglycdn.com/files/9f66a014-6ec1-4493-b723-372df0b5b6cd/top_positive_thinking_podcasts.pdf
    • http://zawofepak.epizy.com/19140890898.pdf
    • https://uploads.strikinglycdn.com/files/c0e452b8-6237-4372-9248-47501a110036/how_to_make_a_log_splitter.pdf
    • https://uploads.strikinglycdn.com/files/4e242176-9835-4136-9790-d6b52c871d5f/8433768058.pdf
    • http://tosasip.epizy.com/webup.pdf
    • http://wipemovawizofi.epizy.com/62006341129.pdf
    • http://gewafemewod.epizy.com/how_to_use_sb_700_speedlight.pdf
    • https://uploads.strikinglycdn.com/files/cd463566-93a2-4cc6-9e90-830ff76cced7/kugibibadizisekov.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f020.bin
dbf72464dba62a96bfcdb21a5e62d3923dc1258e7fa5b1b12a34e1f344b22fe5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF020 5180 bytes
font_01_sfnt_off000101d1.bin
2436f032e479a07cbf1a3856274cf5aebceca412db73eda271f02505f4ef9e27		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101D1 11740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.