Malicious PDF — malware analysis report

Static analysis result for SHA-256 acab164184ad29a1…

MALICIOUS

PDF

76.0 KB Created: 2021-04-05 19:20:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 52c0a0d4cb016c34a09afe831c9979ce SHA-1: 5523b279928972864353c75a9ffde0a49faeb589 SHA-256: acab164184ad29a10b78a7fdeefc4b7a9b6d1cdc278bb093271e1e70697a3a3e
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains embedded URLs, one of which, 'https://nipisod.ru/wix?keyword=note+taking+worksheet+energy+section+3', is directly associated with a heuristic firing for an external URI. The presence of a 'download button' heuristic further suggests a lure to download a payload. The document body is heavily obfuscated, preventing a clear understanding of its specific content, but the overall indicators point to a malicious document designed to trick users into downloading further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=note+taking+worksheet+energy+section+3
    • https://cdn-cms.f-static.net/uploads/4383680/normal_600ee71fecafa.pdf
    • http://vizilamu.22web.org/goneliz.pdf
    • http://meetchambre.xyz/zotolosedavuletigeweg3lt5.pdf
    • https://cdn-cms.f-static.net/uploads/4452385/normal_6069674c35d06.pdf
    • http://doucheop.xyz/famous_modern_portrait_drawing_artistsblgr9.pdf
    • https://cdn-cms.f-static.net/uploads/4496374/normal_604d312021146.pdf
    • http://websecurer.tech/californication_season_2_episode_3_freepnuqh.pdf
    • http://new-volosi.ru/garmin_vivofit_3_user_manualhv961.pdf
    • https://cdn-cms.f-static.net/uploads/4470231/normal_5fd63878f254b.pdf
    • http://ig-about.net/uniden_bearcat_bc350a_scanner_antennafnk5q.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/loneminovu/kegoz.pdf
    • http://pamigobew.rf.gd/42861997129.pdf
    • https://be56f97b-0727-4a8e-a141-4155b83e75ac.filesusr.com/ugd/5034d0_2a22fcf72134412d818b8c95576d9c3e.pdf?index=true
    • https://0e627107-309b-4451-a84d-e7064c41fccd.filesusr.com/ugd/04c368_166048e8523240d38928f5303be8a023.pdf?index=true
    • https://s3.amazonaws.com/nojemi/16612376310.pdf
    • http://wilisen.rf.gd/stanley_garage_door_parts_near_me.pdf
    • http://gokatajikimole.rf.gd/43063696699.pdf
    • https://a39ac558-8fe8-437d-9e10-dc9402d6cb9c.filesusr.com/ugd/1ebe14_cd9edc9c4d304a27b4323b8e59ba7d02.pdf?index=true
    • https://7095e710-59ac-4d27-8a5a-f3bbcaf65deb.filesusr.com/ugd/418e76_1adfe471b29e4903b552cbcd049ad0ca.pdf?index=true
    • https://s3.amazonaws.com/vebenok/28930884138.pdf
    • https://s3.amazonaws.com/nakevoja/gapowasubiz.pdf
    • https://12c48f50-3553-44c7-a31c-19fc5df83d07.filesusr.com/ugd/7e0eb0_6a8ff77bd8454a4ab4abf17865894c1a.pdf?index=true
    • http://sukuvafeliji.epizy.com/lewopus.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ecaf.bin
15e7d735ba8f6baa41157589f3c586cd6e688619803ec989b46238e892b48bbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECAF 5420 bytes
font_01_sfnt_off0000ff3f.bin
eaa7707ffae9e721b52bc2aa53ea5d586781597bdd79abbb358e9b0b1b6e1a43		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF3F 10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.