Malicious PDF — malware analysis report

Static analysis result for SHA-256 bbd6204fdeb1fd61…

MALICIOUS

PDF

317.3 KB Created: 2021-05-17 16:48:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f04481a45445b34b9c701dcdf8d7a06a SHA-1: 92b4103a16369755b2e74bc4664833bb1402f14d SHA-256: bbd6204fdeb1fd61cc79136abf4f0801ac598bb4a9f52505fca1bea3b407eb6d
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The file is a PDF that employs a social engineering lure, instructing the user to install a browser extension or update to view content. This is a common tactic for credential theft or malware delivery. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded URL 'https://nipisod.ru/strik?utm_term=how+many+chapters+does+tom+sawyer+have' is a primary indicator of a malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9594

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=how+many+chapters+does+tom+sawyer+have
    • http://wusumomijo.medianewsonline.com/suxaz.pdf
    • http://madawuboso.sportsontheweb.net/identidades_trigonometricas_pitagoricas_ejercicios_resueltos.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a1c9bafd-2917-4c1b-b79c-a4b44a941470.filesusr.com/ugd/f0f215_d77644c2cf064efc9a36ba6f511b1a9b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6cb61b20-9e72-4c2e-b886-fb4d23ed5958/a_game_of_thrones_book_2_audiobook.pdf
    • https://uploads.strikinglycdn.com/files/17153140-b5ad-48e7-b710-4f82dd238ca1/11647582430.pdf
    • https://uploads.strikinglycdn.com/files/5524c395-a8a5-4483-80ee-1c48a36d98d6/zuwija.pdf
    • https://uploads.strikinglycdn.com/files/3e3b3419-97c2-4121-ba29-2e7f2ba647dc/13559164196.pdf
    • http://matewedidoxeber.onlinewebshop.net/nys_dmv_cdl_permit_test_appointment.pdf
    • https://uploads.strikinglycdn.com/files/32178934-4e0f-4722-83a1-caea4340f2ed/6_core_values_of_social_work_explained_uk.pdf
    • https://uploads.strikinglycdn.com/files/832691df-8843-4c01-b244-b444c068588f/dumaru.pdf
    • https://uploads.strikinglycdn.com/files/45596ac5-5ed0-4638-9ce5-4e846ee92b80/sir_gawain_and_the_green_knight_norton_anthology_audio.pdf
    • https://36c7e617-1221-4173-b726-d5bce2878801.filesusr.com/ugd/610d21_6413a9f12db644959c60243692bd458b.pdf?index=true
    • https://28481333-1ef2-46fb-8ebf-d56c3f24acbc.filesusr.com/ugd/314c35_c9f9605486354fa5b0a10dd4c8d6fd05.pdf?index=true
    • https://40e214c1-1950-44e8-a195-e2c6eeb23253.filesusr.com/ugd/a517f4_52bdfc64b5784772a0356a1c7c64dea6.pdf?index=true
    • https://591379ed-26d0-4405-baa7-5b8dadede013.filesusr.com/ugd/866ffa_8b112076a9b442b6a5fd7ff4eb6cbba6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4b2059b7-9300-4008-89de-a4d24d222bf6/tobipedavonebabejoz.pdf
    • https://s3.amazonaws.com/sakaburepagase/belilafadapubosidizowoma.pdf
    • https://uploads.strikinglycdn.com/files/99bfba2b-9952-46e5-a05f-f5129bcb7271/xagiwudezatofafola.pdf
    • https://s3.amazonaws.com/zevutebulaworel/cuales_son_los_sintomas_de_cancer_de_pancreas.pdf
    • https://uploads.strikinglycdn.com/files/959f6574-f286-415a-9150-a703031e7130/best_bible_verses_for_bookmarks.pdf
    • https://s3.amazonaws.com/gedexim/26875377850.pdf
    • https://uploads.strikinglycdn.com/files/03fe2959-cd09-43b0-8a12-4c035a4b2350/sijobigeta.pdf
    • https://uploads.strikinglycdn.com/files/da88de91-f14a-4d50-8f92-86f78f8a27ea/are_impalas_reliable_cars.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000497cc.bin
7d7521ac1c453a6a674c524a8a4dda042add66fd3a3ae4b2f6bb188809c82371		 pdf-font-stream PDF embedded font (sfnt) at offset 0x497CC 5496 bytes
font_01_sfnt_off0004aa6a.bin
53d0d74c1fd541903c10caf3ffeea95b1cc8ab4d79e2e2a17e3be97afca99b05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AA6A 10604 bytes
font_02_sfnt_off0004cebc.bin
3d4749d6100daadf53acbf3b8f0af377f764a48496e0806ab6baa0478a5fbb9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CEBC 16364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.