Malicious PDF — malware analysis report

Static analysis result for SHA-256 3545ac3ca2fc7791…

MALICIOUS

PDF

87.2 KB Created: 2021-04-05 05:44:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c91815a8969affeb288869f109255447 SHA-1: d8b93ea59bf5db9aa8e015140e44defbfd1b90a1 SHA-256: 3545ac3ca2fc7791fdab8b028060d03da1c2b116724ed98e7bb91b0d69a81c26
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'https://nipisod.ru/wix?keyword=houghton+mifflin+harcourt+publishing+company+answer+key+algebra+2', which is likely a phishing lure disguised as a search result. The document body, though heavily obfuscated, suggests a connection to educational content, reinforcing the phishing pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=houghton+mifflin+harcourt+publishing+company+answer+key+algebra+2
    • http://kanaxade.mygamesonline.org/medical_device_quality_management_system_template.pdf
    • http://berabufepibaj.iblogger.org/24573461208.pdf
    • https://cdn-cms.f-static.net/uploads/4497109/normal_5fd27143ca715.pdf
    • http://fisitupogavi.mypressonline.com/53833273000.pdf
    • https://cdn-cms.f-static.net/uploads/4467005/normal_603a49ba5b5e8.pdf
    • http://muwenigijevas.22web.org/lixajavugojib.pdf
    • http://pakawuwujawo.getenjoyment.net/present_perfect_tense_worksheet_esl.pdf
    • https://cdn-cms.f-static.net/uploads/4380395/normal_6047f5f7d5bb1.pdf
    • http://gemitufelog.22web.org/curso_de_frances_gratis_para_descargar_en.pdf
    • http://juborad.mywebcommunity.org/limevinipozegixe.pdf
    • http://vemelaribox.getenjoyment.net/telephonic_interview_conversation_sample.pdf
    • http://mevesepegubisis.scienceontheweb.net/fezujewis.pdf
    • http://xokezuwadem.mygamesonline.org/bhagavad_gita_chapter_1_telugu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nibizuladode.onlinewebshop.net/30_para_quran_with_urdu_translation_free_download.pdf
    • http://tituzirafosexi.epizy.com/linolarobirifud.pdf
    • http://bivojeda.atwebpages.com/witcher_2_essential_mods_reddit.pdf
    • http://misibinebob.epizy.com/tinkerbell_pirate_fairy_full_movie.pdf
    • http://suredutika.rf.gd/67271941096.pdf
    • http://sikadakomog.epizy.com/98614571976.pdf
    • https://a4346b84-4611-49ab-b113-80c9188ca613.filesusr.com/ugd/078c79_7d0bc4fed2144f2ea90554c389bb3a5e.pdf?index=true
    • https://d4f4546a-a836-4b3d-8651-c56b89608eca.filesusr.com/ugd/3e9e83_238a77c898e247cdbd256477eef83c1b.pdf?index=true
    • http://viziwufeki.rf.gd/aws_sysops_certification_dumps.pdf
    • http://rawigukegopafot.onlinewebshop.net/42325434503.pdf
    • https://22e365c6-0853-42e1-82f8-83473bf9c0bf.filesusr.com/ugd/217d68_0b6866a5c0fd448b91b4f4b5d8ef9c8a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ffda.bin
039a4072e90df62332c36e25ac6650ecc60802e9d5365b48155cd88cc71e4dd5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFDA 5920 bytes
font_01_sfnt_off000113f2.bin
b1fe548c59ebfb2846d59ed1f7baa5bcced0cf8a6e4e59dde1dbd72eea15606b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x113F2 10948 bytes
font_02_sfnt_off00013970.bin
9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13970 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.