PDF malware analysis — malicious · 25f41aa7c68fe2fa

MALICIOUS

PDF

449.9 KB Created: 2021-03-14 23:17:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0d9f9deeb54629bd12ada253122ad5dd SHA-1: a2431678d01b903e3b0304206f0b10c4054b4bc2 SHA-256: 25f41aa7c68fe2fad48858c23723628bbf4c6614d33920776a201c744bc3b6c5

64 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV with a 'Pdf.Phishing.Trojan' signature. It contains an embedded URI pointing to 'https://nipisod.ru/wix?keyword=geometry+unit+1+test+review+answers', which is highly suspicious and likely serves as a lure for phishing or malware delivery. The document body, though heavily obfuscated, suggests a theme related to 'Geometry unit 1 test review answers', reinforcing the phishing pretext.

Machine Learning

Nyx PDF Classifier clean score 0.0328

Heuristics 3

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nipisod.ru/wix?keyword=geometry+unit+1+test+review+answers
- https://cdn-cms.f-static.net/uploads/4408866/normal_6045f6d21e7df.pdf
- https://bagibobujinokat.weebly.com/uploads/1/3/5/3/135312275/bafixiz.pdf
- https://cdn-cms.f-static.net/uploads/4459780/normal_5fd21c1c0f2cc.pdf
- https://vopesowe.weebly.com/uploads/1/3/4/6/134638419/tipimuli.pdf
- https://cdn-cms.f-static.net/uploads/4380543/normal_6034e9d6dd87a.pdf
- https://static.s123-cdn-static.com/uploads/4366339/normal_5fcd059a75482.pdf
- http://gisoboxizaza.mygamesonline.org/nuzakudelojofox.pdf
- http://jafoxidulez.mypressonline.com/second_grade_printable_money_worksheets_2nd_grade_math.pdf
- https://pevaluxuduta.weebly.com/uploads/1/3/4/5/134502983/6550483.pdf
- https://cdn-cms.f-static.net/uploads/4378852/normal_5fd6546d3d102.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/5fac3109-85f5-4054-8218-5067f69ee36a/romeo_and_juliet_malayalam_download.pdf
- https://uploads.strikinglycdn.com/files/fa37fd5a-e5fc-4f5b-9d5f-5a484c500ce6/ac_joint_injury_rehabilitation_exercises.pdf
- https://uploads.strikinglycdn.com/files/660478de-201b-49c4-b4d4-07a9d0089fe7/sony_dav_dz170_push_power_protector.pdf
- https://uploads.strikinglycdn.com/files/42e15f3c-8f19-4ac7-91de-177856725b75/87728901501.pdf
- https://uploads.strikinglycdn.com/files/a93d62d5-7786-4a2e-80b0-940ea024dad0/eragon_inheritance_ending.pdf
- https://uploads.strikinglycdn.com/files/2447e0f8-7314-452c-b128-46fa70c0aa55/26599549665.pdf
- https://s3.amazonaws.com/bulikowexunepov/rectangular_coordinate_system_worksheet.pdf
- https://s3.amazonaws.com/natewared/80314466090.pdf
- https://uploads.strikinglycdn.com/files/ab3d7051-564d-4795-9676-72a72457fe63/91992167872.pdf
- https://uploads.strikinglycdn.com/files/975df687-f915-424f-8c8c-5030d9f31a77/vojononu.pdf
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0006c292.bin` `91c65d4daef29bab276e56b606f9c5013e4f13bc29c78e9eee33dd87ab02342c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6C292	2996 bytes
`font_01_sfnt_off0006cd57.bin` `2feaea327bfecfa2614f42f7a71d33c3f57fe712853780fd29594fe5a089e0a0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6CD57	5136 bytes
`font_02_sfnt_off0006dedc.bin` `dc37461816ec92f0ed1316601fd5c6b06f5c1a5be203c138b3c3c6cdf5da3806`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DEDC	2024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.