Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ee3788798f04056…

MALICIOUS

PDF

99.5 KB Created: 2021-03-24 22:54:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3278ae3b5e31c2af911832fc8cb7f841 SHA-1: d6e781af7b1d449079dd00f876de86b48491e6ea SHA-256: 3ee3788798f04056d747c4f601405e894fdff6a81350634bc52cd423deb6872f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL pointing to 'nipisod.ru', which is likely part of a phishing or malware distribution scheme. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect the user to a malicious site, potentially for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=meaning+of+biogeography+pdf
    • http://ipoteka.net/where_is_the_bluetooth_antenna_on_ps4z18p8.pdf
    • http://ygrash.website/6076881624ue1br.pdf
    • http://cybety.xyz/242239257440av16.pdf
    • http://biweekamnf.com/tamu_dining_trackeromsuz.pdf
    • http://nemosixumeki.mypressonline.com/psychiatric_mental_health_nursing_concepts_of_care_in_evidence-based_practice_9th_edition.pdf
    • https://static.s123-cdn-static.com/uploads/4491398/normal_60091924d55eb.pdf
    • http://thechambre.xyz/diary_of_a_drug_fiend_and_other_works7780u.pdf
    • https://static.s123-cdn-static.com/uploads/4458428/normal_60063b51f223e.pdf
    • http://idealica-ufficialeitalia.website/vuvetarezabolinefozevidap08qhs.pdf
    • http://sodowetan.mywebcommunity.org/options_futures_and_other_derivatives_8th_edition_solution_manual.pdf
    • https://cdn-cms.f-static.net/uploads/4456135/normal_603357227d5fe.pdf
    • http://1xbet-registr.site/how_many_calories_should_a_dog_eat_per_dayx5huh.pdf
    • http://azalea.store/word_chums_cheats_and_answers3hk95.pdf
    • http://adv-workshop.site/advanced_dungeons_and_dragons_2nd_editionycyqq.pdf
    • https://cdn-cms.f-static.net/uploads/4388814/normal_604e68e1e04fb.pdf
    • http://belkwigs.com/hp_officejet_pro_l7680_repair_manualutbde.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/50167607-0919-43f5-997c-4885dc5fa688/what_is_the_importance_of_social_justice_in_the_society.pdf
    • https://uploads.strikinglycdn.com/files/f8ac73e6-91ab-4e8a-88d0-e0e0b7c54bd2/sinevugejasezab.pdf
    • https://uploads.strikinglycdn.com/files/225a9862-447a-4ad9-9a25-d45b1ed6a5bb/best_online_ccrn_review_course.pdf
    • http://suruliloxapesas.myartsonline.com/82438939961.pdf
    • https://uploads.strikinglycdn.com/files/08059959-3787-4f04-9dbe-c5a45ccaa53d/fepubemukak.pdf
    • https://uploads.strikinglycdn.com/files/02258b86-0dd9-4e00-a275-fa45818e368e/simple_english_sentences_for_daily_use_with_tamil_meaning.pdf
    • https://uploads.strikinglycdn.com/files/cc6048f9-28d3-4704-9bdf-e9f34014ff31/canoscan_lide_220_big_sur.pdf
    • https://uploads.strikinglycdn.com/files/744fa44e-7d12-445b-94f7-47642d409812/brother_4100e_fax_machine_paper_jam.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014689.bin
8d813271d5efbec1b4bb7cd8d1753188a867b10f4ad7ed0f9b830f1877bdbda9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14689 5340 bytes
font_01_sfnt_off000158c0.bin
4ea9c7c3b2db47c41878b5999d31506baf2139ff38c4fccb7894124d8cdf4990		 pdf-font-stream PDF embedded font (sfnt) at offset 0x158C0 12328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.