Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad7fc87dbc8cb9ba…

MALICIOUS

PDF

133.3 KB Created: 2021-03-20 09:14:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 2c2bee9bd65a37a2a156256335ab3428 SHA-1: ba0b13abfcc8d89bf9384750853776464b15b49f SHA-256: ad7fc87dbc8cb9bad9d477112415f7d891ada019aea615467336ebdf9a3ee2d0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to 'https://nipisod.ru/award?keyword=beowulf+pdf+summary', which is likely a phishing lure. The document body, though heavily obfuscated, contains text that suggests a summary or award related to 'Beowulf pdf'. No scripts were extracted, but the presence of a malicious URI in a PDF is a strong indicator of a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9808

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=beowulf+pdf+summary PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4473632/normal_601e0236a6a5c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4497081/normal_6012db6a4e7d8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4482009/normal_600d552d3c7a1.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/3647015f-a065-4963-8885-21a1e692f38f/denon_avr-e400_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/227ed925-0507-46de-a0be-e67875bcdaa9/mataburuxufo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/525b0b4b-97c0-4a52-b92a-17adcc11b0b0/68336487441.pdfIn PDF document text
    • http://fulatunufesaze.epizy.com/abp_news_bengali_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c5bf334b-6a08-4200-9383-5dc81d02e907/zawezufidoxodi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/025f269c-e89b-4e1a-8605-436e99f18b15/wivuwanep.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1a80fc3b-340c-4015-8558-531c51e3f978/how_to_order_checks_online_pnc.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2fd44db-20c7-45b0-8881-77aff0ea6843/bitofe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/daac5e48-663e-4952-aba6-fa560531f3d4/what_does_it_mean_when_your_heater_says_e1.pdfIn PDF document text
    • https://s3.amazonaws.com/zakunafu/black_and_decker_rotisserie_convection_countertop_oven_manual.pdfIn PDF document text
    • http://sotatelovutegep.epizy.com/59879246836.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/13d7f64a-28d8-4857-9a6b-084dfe62ee85/skyrim_xbox_one_best_mod_list.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cc12e70c-867b-4618-a7a4-676c654d31f2/forgot_password_for_asus_router_rt-ac66u.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7962d194-651b-4e7e-9915-9bf818fd20c5/4017844419.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf0763e3-4d73-4afb-aff7-cb4c5fd2e566/66893606181.pdfIn PDF document text
    • https://s3.amazonaws.com/lerezazo/resource_dependence_theory_in_healthcare.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001d168.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D168 5432 bytes
SHA-256: afbd6a39b98945e294ef59d050cd2ef0423dea070178493c399739de7b14dc13
font_01_sfnt_off0001e3e5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E3E5 14688 bytes
SHA-256: 8a74cc2d0f59f5394efa9e731b43abd05ced320cb84d0487dc03650e60cdc8c8

Open this report in the interactive analyzer, or submit your own file for analysis.