Malicious PDF — malware analysis report

Static analysis result for SHA-256 a983436295e7b3e8…

MALICIOUS

PDF

78.1 KB Created: 2021-03-12 01:37:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3eaf7067d1641c9b5c182338a652c6f1 SHA-1: 77d93be2cdfe8b2d622a2028893b02ce1f94ad02 SHA-256: a983436295e7b3e805d78dc81b03409ef0aca9afe3b5e84b9d32316216ea5763
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as a malicious PDF by ML classifiers and ClamAV, specifically flagged as Pdf.Phishing.Trojan. It contains an embedded URI pointing to 'https://pelibifir.ru/wix?keyword=bacteria+vs+virus+worksheet', suggesting a phishing or malware distribution attempt. The document body appears to be obfuscated or corrupted, but the presence of the external URI and the detection signatures strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=bacteria+vs+virus+worksheet
    • https://static.s123-cdn-static.com/uploads/4476446/normal_5ff0a47615a40.pdf
    • http://boketizabujig.scienceontheweb.net/pizajodisepifisizu.pdf
    • http://vefavirona.22web.org/christian_tamil_songs_free_with_lyrics.pdf
    • http://pufaxokijajijev.22web.org/gojijewutewugubazaveg.pdf
    • http://xibawolafubiz.getenjoyment.net/is_oxygen_harmful_for_nitrogen_fixing_bacteria.pdf
    • https://static.s123-cdn-static.com/uploads/4415292/normal_5ff4371fa6a06.pdf
    • https://cdn-cms.f-static.net/uploads/4456379/normal_6018c101664f1.pdf
    • https://static.s123-cdn-static.com/uploads/4445118/normal_6003d082434a6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zatuvejamubolo.atwebpages.com/56816785681.pdf
    • http://wafogaz.rf.gd/difference_between_because_of_and_because.pdf
    • https://uploads.strikinglycdn.com/files/18a3d2dd-2b83-4173-bc98-9c532d7acbaf/how_much_to_repair_samsung_tv_screen.pdf
    • https://s3.amazonaws.com/metakibeme/1874424653.pdf
    • https://6ec3981f-6443-463b-a164-91fc69f101d9.filesusr.com/ugd/7603ae_e27f54402c424679a8318a2954b94619.pdf?index=true
    • https://4fe85328-8dbf-40e9-afa8-2c8d6ff8a9c8.filesusr.com/ugd/9c0842_e159492b488b4993b3afb0fc325a03c9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5c4839cd-680c-4005-9038-e465418f2b79/22292118022.pdf
    • https://s3.amazonaws.com/zunaporam/gigano.pdf
    • https://uploads.strikinglycdn.com/files/208e97c5-9f6e-414c-b473-9ea53bceffbf/degudin.pdf
    • https://b01ec662-dec5-4f54-b977-8708717d6054.filesusr.com/ugd/07e02c_f675c9ecbe264a9a8cb815cc6634e5fb.pdf?index=true
    • https://05f6fcc2-a4c7-4d5b-b58c-97b640a93f4d.filesusr.com/ugd/74147a_8b69de3c22d24eb8abd5e15321390c6e.pdf?index=true
    • http://muzizax.rf.gd/how_to_override_canon_printer_out_of_ink.pdf
    • http://favigagiwu.epizy.com/pappadeaux_blackened_catfish_nutrition_information.pdf
    • https://uploads.strikinglycdn.com/files/14e19dc3-f493-41d3-8ea2-773b6ff576b1/61965634256.pdf
    • http://bixozebaxikapos.atwebpages.com/dantes_inferno_original_book.pdf
    • https://aa3bb5c3-2bd4-4791-9e2a-6e31d5009b04.filesusr.com/ugd/60e703_58d22523fd604af5b6caa3564337ab94.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e30e5357-e7ea-4913-8947-6be9ef41dc9f/resumen_de_libro_para_leer_el_pato_donald.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6eb.bin
0e6e6fbea7826bebd55f8204a41cb45da1640efda6ce80c1f1b22467fce86fa8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6EB 5120 bytes
font_01_sfnt_off0001086e.bin
7a9013ad6a707a7a74e5a52babcfaf4a40232f6774680af8ec61d7d6026a9a05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1086E 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.