Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b52d85ab984dddf…

MALICIOUS

PDF

102.6 KB Created: 2021-03-11 20:33:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-17
MD5: 307db2884662b056756b994ef58a476e SHA-1: ebd0d6a1b76d41769160ee3d11788ef933dcc18e SHA-256: 5b52d85ab984dddfab6008acc4aa874896fafdf9af12126612737ed281969f0d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to 'https://nipisod.ru/wix?keyword=memes+ap+gov+iblog', which is flagged as a high-risk indicator. ClamAV detection and ML classification strongly suggest malicious intent, likely phishing or malware delivery. No scripts were extracted, but the embedded URL is the primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9957

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=memes+ap+gov+iblog PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4446925/normal_5fe9f27fee878.pdfIn PDF document text
    • http://lamejix.scienceontheweb.net/juloxemaniregabonewon.pdfIn PDF document text
    • http://milky-rp.space/battle_dress_uniform_materialc0vrb.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4375357/normal_5fdee57d2f266.pdfIn PDF document text
    • http://romeita.fun/rubovelopajehve.pdfIn PDF document text
    • https://bovatukal.weebly.com/uploads/1/3/0/7/130739183/sutolabepenato.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4405179/normal_5fc6af57b0ea2.pdfIn PDF document text
    • http://instapodarok365.site/the_great_gatsby_vocabulary_chapters_3-5hurjb.pdfIn PDF document text
    • http://legrand-spb.ru/sivunufexigasubiwezilurigw8rx.pdfIn PDF document text
    • http://kerosijuvibeg.scienceontheweb.net/bipolar_disorder_2020.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4447630/normal_5fd062ff61c1c.pdfIn PDF document text
    • https://zuwadakake.weebly.com/uploads/1/3/4/6/134664894/godabimeb.pdfIn PDF document text
    • https://zawasofolebu.weebly.com/uploads/1/3/4/9/134902788/gumimisijaxufobosaz.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417656/normal_5fdc0eaa58147.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4372382/normal_5fdf6f7ad9fe6.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4455670/normal_6007bc7251ad3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4451039/normal_5fc5c11860aeb.pdfIn PDF document text
    • http://migriruy.ru/11304655002nmoe4.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4459027/normal_60000d552f10b.pdfIn PDF document text
    • https://migawonakizize.weebly.com/uploads/1/3/1/6/131637147/278901.pdfIn PDF document text
    • https://gatokoliza.weebly.com/uploads/1/3/0/7/130739470/8091821.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://zowofiz.myartsonline.com/dunogexilokiwamopovajudad.pdfIn PDF document text
    • https://f13dd0f9-fe0a-4257-a88d-d9af1a1cf0e3.filesusr.com/ugd/d954c5_c2f36462069d4d33a263813a63bf7489.pdf?index=trueIn PDF document text
    • https://f72b89be-0fa6-41ee-8162-331329ef78ce.filesusr.com/ugd/95089d_0220ce961c0648389608c5da3a3666e2.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f513.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF513 6440 bytes
SHA-256: 01dc67247d5fd41dea1d51365b3c5649bc146092a51af8f97e1df04693bf8f21
font_01_sfnt_off00010505.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10505 5248 bytes
SHA-256: 59ee5ee55046dc66e01fc2f73fd4b1b1ac07f724d3557e5da5146bf5585b6bee
font_02_sfnt_off000116da.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x116DA 18028 bytes
SHA-256: 889359c53a48a915ac51023534c619d54783b0b753074816b37388497a7358a5
font_03_sfnt_off00014d44.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14D44 11128 bytes
SHA-256: 066e383b93c25c438edadfcef6bd16b1e4af4dcb0ab32653cfe307967609b21f
font_04_sfnt_off00017341.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17341 17504 bytes
SHA-256: 9de7f17e44027ae92fd2f3b9504ee0c2a63232a2c00fde4a752e4aa38fc3e1f1