Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb9d8fe55ea222be…

MALICIOUS

PDF

74.1 KB Created: 2021-03-29 01:47:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 39a74dab2e813a89e2c178bbb47173ac SHA-1: 57da7a9b8824e84550b479b9d5b1b075d50a3ef9 SHA-256: cb9d8fe55ea222bebdcfa67d2e9849d823626d536b0f95c3bd78fcd69a8a43e0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to 'nipisod.ru', which is flagged as suspicious and likely part of a phishing or malware distribution scheme. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URL suggest it's designed to redirect users to a malicious site, potentially for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=ocean+of+pdf
    • https://cdn-cms.f-static.net/uploads/4408479/normal_6022cc39e02e9.pdf
    • https://static.s123-cdn-static.com/uploads/4479236/normal_5fcdad5e1d37c.pdf
    • https://static.s123-cdn-static.com/uploads/4388612/normal_60041178847ae.pdf
    • https://cdn-cms.f-static.net/uploads/4445101/normal_6055098422730.pdf
    • https://cdn-cms.f-static.net/uploads/4482426/normal_601986a6ea6a6.pdf
    • https://static.s123-cdn-static.com/uploads/4409413/normal_5ff0c01b7dfc0.pdf
    • http://afterdealer.pro/old_school_cast_iron_dumbbells6qpm7.pdf
    • http://scandisvet.ru/aa_meetings_near_winston-salem_nc7x4ni.pdf
    • https://cdn-cms.f-static.net/uploads/4475565/normal_602fff02d8318.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/gadumagabusodel/characteristics_of_living_things_worksheet_grade_2.pdf
    • https://uploads.strikinglycdn.com/files/685b908f-fff9-46c8-b8a2-1971d78ac93a/satimije.pdf
    • https://s3.amazonaws.com/woxewiwupir/free_cryptic_tv_quiz_questions_and_answers.pdf
    • https://uploads.strikinglycdn.com/files/6ecf35fe-c63b-449b-ab09-7dead49c8faa/como_es_la_cebada_verde.pdf
    • https://s3.amazonaws.com/jowutoneranemuk/princess_colouring_sheets_printables.pdf
    • https://uploads.strikinglycdn.com/files/4a97a82e-b973-4288-825d-4e6ae95ae0c0/78837969754.pdf
    • https://uploads.strikinglycdn.com/files/5e606724-d305-45d4-bef9-6cd646717309/bilatopowasirologojinug.pdf
    • https://uploads.strikinglycdn.com/files/0935d291-6702-4dbd-a545-e00138be0cd7/76256342316.pdf
    • https://s3.amazonaws.com/lazesej/garelu.pdf
    • https://uploads.strikinglycdn.com/files/f8ac6183-a648-41f2-8ed3-da61b9a08085/how_much_oil_does_a_scag_tiger_cat_2_take.pdf
    • https://s3.amazonaws.com/vigevot/allegiant_free_bag_size.pdf
    • https://uploads.strikinglycdn.com/files/24a6ee93-5762-4657-bd61-9ce1c3b94d59/netgear_dgn2200_firmware_dd-wrt.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e6ba.bin
d1e2ccf2f8e1c85a186bfba90026b04a4c4e897962060804c588a1f8ab2e40bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6BA 4868 bytes
font_01_sfnt_off0000f764.bin
9feb76dc04ec53cbcb85b80414d8c884c3e7df0406f1d574c1bfb8a471b6ad31		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF764 10988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.