Malicious PDF — malware analysis report

Static analysis result for SHA-256 434deb6dca29165f…

MALICIOUS

PDF

81.1 KB Created: 2021-03-26 07:58:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64c22571d14f3d7c8fe5e18a8f3944fa SHA-1: b472a5b1f31c332c3af589b0498f4ff85bd00af9 SHA-256: 434deb6dca29165f6ae3aeddd421cf097f5db7e97103e736afab6d26373e3c45
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URI pointing to 'https://nipisod.ru/wix?keyword=section+28.3+the+outer+planets+worksheet+answers', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to 'worksheet answers'. No scripts were extracted, but the presence of an external URI and the overall detection suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=section+28.3+the+outer+planets+worksheet+answers
    • http://psylath.com/program_to_annotate_free7k5in.pdf
    • http://kafidovomiguvo.mywebcommunity.org/what_is_the_world_political_map.pdf
    • http://lemafesopeposuz.mywebcommunity.org/laxonezofonex.pdf
    • http://fastnoutservice.ru/meaning_of_answerable_questionshd95o.pdf
    • http://kawlites.online/xbox_series_s_walmart_black_friday64jbh.pdf
    • http://pebonemariv.mypressonline.com/citizen_gn-4-s_specs.pdf
    • http://jinobuzid.scienceontheweb.net/18084636283.pdf
    • https://cdn.sqhk.co/purovufizu/qdOjgih/keynote_upper_intermediate_answer_key.pdf
    • http://lovelyhouse.online/how_can_i_play_the_original_final_fantasy_7vji9q.pdf
    • http://tryse.xyz/what_are_the_components_of_system_software9tn48.pdf
    • https://cdn.sqhk.co/pumopivosoba/rhi1Ljj/tukekoliwem.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ff87c8b5-ca28-4ac0-94ba-218234037d87.filesusr.com/ugd/1d4e4f_d46fd3ff2445432384171edfe4a0ed4a.pdf?index=true
    • https://d17f4099-ecc1-42b1-9c73-51521793457c.filesusr.com/ugd/4a2613_e14509632adc404c8ac72af692bfc3b6.pdf?index=true
    • https://s3.amazonaws.com/wamatasamegu/bucket_list_movie_2018.pdf
    • https://992bddda-184d-467f-a815-0165b41a2208.filesusr.com/ugd/69695d_a24fa46678ac49a68fe7d331da46513d.pdf?index=true
    • https://s3.amazonaws.com/jijari/bevajonefovulebeb.pdf
    • https://92fa68c6-d088-48c5-94d9-776fe0504fc0.filesusr.com/ugd/5a053b_11fd1bbe22c14bb2b64c27b623f02424.pdf?index=true
    • https://s3.amazonaws.com/patilawasu/lagu_missing_you_btob_matikiri.pdf
    • https://ff102949-4c65-4b7b-925c-ea9a98d885fa.filesusr.com/ugd/7a16bb_0033445a298447649effee7d84c3f868.pdf?index=true
    • https://3f9320ff-391d-49df-b192-c557e211a93c.filesusr.com/ugd/469aea_d2ae850684204e88bb2e1f69bf25109e.pdf?index=true
    • https://s3.amazonaws.com/bisegilupuf/budapest_hungary_tourism_information.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fe95.bin
9fc7c926351e35d9e0d41d2de52d67318d21f681123246a959254ccac840142a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE95 5800 bytes
font_01_sfnt_off0001126a.bin
0e3bbbbdbf0a4a8d8ea92f750479dee811e403410f324ca3b1d76d531aa020ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1126A 10716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.