Malicious PDF — malware analysis report

Static analysis result for SHA-256 be44405c5bb9d2e6…

MALICIOUS

PDF

71.0 KB Created: 2021-03-03 02:26:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8a75e44fcdacb14599c9980581461512 SHA-1: 7bdaac240456d613f18c16fc38ecbcb065e89e72 SHA-256: be44405c5bb9d2e6d113758f9dff49a9dd8faafa19355df2388e27440e12df8a
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The sample was flagged by ML classifiers and ClamAV as malicious, with a critical heuristic indicating a payment redirection lure. The document body, though heavily obfuscated, contains text related to pairing a headset, which is likely a deceptive pretext. The presence of multiple external URLs, including one pointing to 'nipisod.ru', suggests the document is designed to redirect users to malicious sites for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/123?utm_term=how+to+pair+a+plantronics+headset
    • http://excschool.ru/bangla_new_natok_mp4_2019f8jmo.pdf
    • http://stikc.xyz/livudi9hk4d.pdf
    • https://cdn.sqhk.co/zizenozi/0iejd59/xopavumu.pdf
    • https://cdn.sqhk.co/jigavozef/hfEDhcp/lion_temple_run_game_download.pdf
    • https://cdn-cms.f-static.net/uploads/4403822/normal_5fd8b34a1d93c.pdf
    • http://cozyplacefor.rest/where_most_clastic_sedimentary_rocks_are_formedo47yg.pdf
    • http://instacopyrightcenter.com/87169432659pbhos.pdf
    • https://cdn.sqhk.co/wuvexudid/gBLgh0a/pew_pew_pew_lyrics_tik_tok.pdf
    • https://cdn.sqhk.co/kezixowog/hiidhep/2524152394.pdf
    • http://vinnipoh.space/changomas_formosa_capitalricrn.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kawotexulozax/bhole_baba_song_free.pdf
    • https://s3.amazonaws.com/wuxupewu/bang_bang_movie_songs_free_pagalworld.pdf
    • https://s3.amazonaws.com/rufonali/war_plane_games_android.pdf
    • https://s3.amazonaws.com/nutanigonu/vugefatenevetada.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9ae.bin
c90bab2b22c4b077074f6b12386769141f9f184ebe54e641d582cadd3cdab110		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9AE 5212 bytes
font_01_sfnt_off0000eb6b.bin
5bde3c4485b872f8bed0769d9f34c40e4b447168334c6ad007cacede6cfce6cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB6B 10548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.