Malicious PDF — malware analysis report

Static analysis result for SHA-256 c60e2ea4862effc3…

MALICIOUS

PDF

99.2 KB Created: 2021-05-18 04:10:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3dd03d467edb56e25d917571bb739425 SHA-1: 2ea28bf4d922281aaebf1e310539cde1f0072063 SHA-256: c60e2ea4862effc388a027f6d0964a95b3a17350560c79dc10ec40b3df4071f9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected by ClamAV as Pdf.Phishing.Trojan and flagged by an ML classifier, indicating malicious intent. The embedded URL `https://nipisod.ru/strik?utm_term=upstream+upper+intermediate+b2%252B+answers+pdf` strongly suggests a phishing lure, likely aiming to trick users into downloading further malicious content or providing sensitive information. While no scripts were explicitly extracted, the PDF structure and embedded URLs are typical of phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=upstream+upper+intermediate+b2%252B+answers+pdf
    • https://cdn-cms.f-static.net/uploads/4416322/normal_602d6cb7c56a5.pdf
    • http://kesenirevapovid.iblogger.org/81167378117.pdf
    • https://kifadinegek.weebly.com/uploads/1/3/1/4/131407901/munedibumodamape.pdf
    • https://lukofobetu.weebly.com/uploads/1/3/4/3/134317857/resuko_ganijodel.pdf
    • http://weboxima.22web.org/uu_tentang_amdal.pdf
    • https://static.s123-cdn-static.com/uploads/4417309/normal_5fe1ea751762f.pdf
    • https://static.s123-cdn-static.com/uploads/4409811/normal_5fcc082893aad.pdf
    • https://xabizukilitexe.weebly.com/uploads/1/3/4/3/134335342/xisabi.pdf
    • https://zububeto.weebly.com/uploads/1/3/6/0/136082076/tetajeliruba.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/solonebosop/2544482338.pdf
    • http://zigadewat.epizy.com/500_essential_words_for_toefl.pdf
    • https://uploads.strikinglycdn.com/files/dae17205-dc17-4145-bed9-c089d05a6477/wumokuk.pdf
    • https://s3.amazonaws.com/muvarelo/how_to_shut_off_alarm_on_apple_watch.pdf
    • http://xugekevilop.rf.gd/6008266764.pdf
    • http://karatufi.epizy.com/kvaml_amar_suyu_forml.pdf
    • https://s3.amazonaws.com/mamibis/15485594119.pdf
    • http://jefelaxe.epizy.com/the_adventures_of_huckleberry_finn_read_book_online.pdf
    • http://nijopupeboxisa.epizy.com/fowalupuvipokeb.pdf
    • https://uploads.strikinglycdn.com/files/a310f6df-1e9c-450d-aa77-d5e2235a8ee0/45655250986.pdf
    • http://fevojofutowi.epizy.com/bihar_iti_admit_card_2019.pdf
    • http://bopunuzas.rf.gd/34918564601.pdf
    • http://ramogefakox.rf.gd/police_report_writing_training_videos.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012d01.bin
13efb91f343b40dc15cbe30498ff926fa1df2ed1dc8bf1cc987afe596c4e00c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D01 5880 bytes
font_01_sfnt_off00014173.bin
f9c1a4c03a5dd42b188ed8715e6e64df795cbadff3fc84bb82e6571de40f9b1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14173 5512 bytes
font_02_sfnt_off00015429.bin
329d6630d04af2d62c44e8d124393467af990c3f45b5e18ec5e204bbafefec57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15429 13640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.