Malicious PDF — malware analysis report

Static analysis result for SHA-256 a47ef04d03198430…

MALICIOUS

PDF

95.8 KB Created: 2021-03-22 05:56:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5d188f506381babc64ad97395fe964fc SHA-1: 4594a96bc94eb85590b2740705011cec1b78cc14 SHA-256: a47ef04d031984306014975a26285f89b5226b6477bf992d8c06622128fb14b6
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The document body, though heavily obfuscated, contains references to 'The blind side netflix india' and the presence of an external URI pointing to 'nipisod.ru' suggests a phishing attempt to harvest credentials. The file's metadata indicates it was generated by wkhtmltopdf, a tool often used to create PDFs from web content, further supporting the phishing lure hypothesis.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=the+blind+side+netflix+india
    • https://dawosovakix.weebly.com/uploads/1/3/6/0/136097295/9889507.pdf
    • https://dikugero.weebly.com/uploads/1/3/4/3/134356342/6c5f3b86.pdf
    • https://xigujevaw.weebly.com/uploads/1/3/4/7/134701692/tesexatekomiro.pdf
    • https://cdn.sqhk.co/gadewekunel/QEXWiel/retro_motorcycle_speedometer_uk.pdf
    • https://cdn.sqhk.co/jekurona/hcDBbAD/spartan_runner_unblocked.pdf
    • https://pefobasor.weebly.com/uploads/1/3/4/1/134131397/pupotesaw-mowofanedugu-rojaguvinokoju-bezoborotixapek.pdf
    • https://cdn.sqhk.co/maduzonuxoke/jKYZYeH/physiopathologie_appendicite_aigue.pdf
    • https://vitafidazi.weebly.com/uploads/1/3/4/7/134728623/fuwotidanowomifuvomo.pdf
    • https://cdn.sqhk.co/dibirolinu/haSZv5T/toggle_meaning_in_malayalam.pdf
    • https://static.s123-cdn-static.com/uploads/4478131/normal_5ff13de11789a.pdf
    • https://cdn.sqhk.co/xugikokazo/cvgeaKL/pajuvogupinowamitipikaved.pdf
    • https://cdn-cms.f-static.net/uploads/4482023/normal_60445a9f9fb4b.pdf
    • https://cdn-cms.f-static.net/uploads/4499653/normal_60568361f2ee2.pdf
    • http://newuwedeza.mypressonline.com/four_main_types_of_writing.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdd249b8-77b1-4a94-b024-8995efe4d959.filesusr.com/ugd/d394ff_a5d92db5372f419c9d47885985827fc6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/49c2d555-54a1-4fa3-a094-5807fda5ba12/kenmore_elite_vacuum_reviews.pdf
    • https://uploads.strikinglycdn.com/files/d039df50-34ee-421e-a5c7-8283170c5fa1/positive_behavior_support_plan_for_adhd.pdf
    • https://uploads.strikinglycdn.com/files/91063f0e-8ab6-4862-90c8-eae32cf3f91f/rii_mini_x1_pairing.pdf
    • http://romofimor.onlinewebshop.net/afcat_question_papers_free_download.pdf
    • https://uploads.strikinglycdn.com/files/688b1fb0-49e4-4a87-9b6f-f17618e36736/27663299598.pdf
    • https://c6f55193-7475-4343-97dd-33cb3b141b6a.filesusr.com/ugd/808d8c_fa41e655e9fe47319147c8b53f532617.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc5c.bin
428a08fed10c12dba6716fcdac127b7096583c4305dad1bef2210dd2721997f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC5C 29332 bytes
font_01_sfnt_off00013842.bin
3ba1faec9a4c32b7b6bd99a64acafcdbed7b473f71357bc84746a73566338cee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13842 5056 bytes
font_02_sfnt_off0001496f.bin
872de5ff69ea480e804f739a655a66d6002bd098544bfa7482f6d4cdbe8aafc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1496F 11368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.