Malicious PDF — malware analysis report

Static analysis result for SHA-256 d178c8d43bc527a7…

MALICIOUS

PDF

84.0 KB Created: 2021-03-21 21:47:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c0ce91196672717dc329972809ffa822 SHA-1: 2dbce44cb6188c38233ad849c601721a9f83d115 SHA-256: d178c8d43bc527a7b45d7a28b8f642e002845d2da7274af3e42af0ad173a1074
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier. It contains an external URI pointing to 'https://nipisod.ru/wix?keyword=say+it+with+symbols+investigation+1', which is likely a phishing or malware distribution site. The document body is heavily obfuscated, but the presence of embedded URLs and the overall detection suggest a malicious intent to redirect the user to a compromised or malicious resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=say+it+with+symbols+investigation+1
    • http://bumasujofoj.getenjoyment.net/siwuxujububazaribaraketoz.pdf
    • http://jijejuvisuzewe.22web.org/online_converter_to_jpg.pdf
    • http://dizofuses.mypressonline.com/different_types_of_seismic_waves.pdf
    • https://cdn.sqhk.co/tanemurad/hhChaha/major_mayhem_2_apk.pdf
    • https://bamukafigozoxin.weebly.com/uploads/1/3/4/8/134861202/pisig_pobixipuvuze_sexukoz_basugurusab.pdf
    • https://nilukosezaxed.weebly.com/uploads/1/3/0/8/130814529/6473846.pdf
    • https://mawubikafef.weebly.com/uploads/1/3/4/8/134871360/fef4faed6ac.pdf
    • https://cdn.sqhk.co/rojozedofaf/jbhiL17/tejufotovim.pdf
    • http://vobigabifinu.22web.org/53169003103.pdf
    • https://cdn.sqhk.co/sunidoxil/drdjahg/40616698926.pdf
    • https://bewizujire.weebly.com/uploads/1/3/2/3/132303264/a611b109f847.pdf
    • http://ruvogodozipabiv.scienceontheweb.net/liberalismo_y_neoliberalismo_economico.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ba30dffa-51fe-4caa-9472-6f142403a9bb.filesusr.com/ugd/c2007e_18a0ceeb049647f8b2d8138b59d596b3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7da22d99-fe7c-4e08-bb49-cba62100fd53/is_wolves_of_wall_street_a_true_story.pdf
    • http://jokubamobivavum.onlinewebshop.net/how_to_get_cuttings_from_devils_ivy.pdf
    • http://gipebevu.atwebpages.com/46778203944.pdf
    • https://uploads.strikinglycdn.com/files/a99ac000-a46d-4588-919a-27c5069a3781/parents_as_partners_policy_early_years.pdf
    • http://miseparasunafit.rf.gd/number_line_addition_worksheet_grade_2.pdf
    • https://uploads.strikinglycdn.com/files/de7496d8-3437-4793-a8ab-ef1663c220de/38264153020.pdf
    • https://e5447efa-8854-4d04-834e-f0bbd7438c8b.filesusr.com/ugd/ac612b_528d890ede3d4e3ab941e37c4d60cf8b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fcf7d237-4365-462d-be2e-d46258b94c37/81769104427.pdf
    • https://uploads.strikinglycdn.com/files/8c2c3716-0ed4-4b77-9644-4fa5fe8e0539/medicinal_chemistry_books_yogeshwari_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010a76.bin
07e0d35c8af5347b7f3f0cee7d86ea29b2e1d181d0bf7a7e6e133a67d79acc94		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A76 5552 bytes
font_01_sfnt_off00011d56.bin
44170e64e150f87c35a97e75cf172f8a8b8b163268811ecb34fea585cd5296d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D56 10788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.