Malicious PDF — malware analysis report

Static analysis result for SHA-256 f225982d9c53dcbc…

MALICIOUS

PDF

79.9 KB Created: 2021-04-11 20:01:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2e4f4334dee013aec19df853522879d6 SHA-1: af6d6fe9f36a61297a58972875c9d996ace40b9e SHA-256: f225982d9c53dcbc94414b9764a4aaa330fdf141eb00e426f80d6fbe1ec6ab64
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and a high-confidence ML classifier flagged it as malicious, consistent with a phishing or malware delivery attempt. The primary external URI, https://pelibifir.ru/strik?utm_term=casio+f91w+nato+band, is likely the destination for the malicious payload or phishing content. The document body, though heavily obfuscated, suggests a product lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=casio+f91w+nato+band
    • https://kaxojolomo.weebly.com/uploads/1/3/4/8/134885197/xigaforibivu-xonosonaso.pdf
    • https://rosunitekuw.weebly.com/uploads/1/3/1/3/131384708/1668896.pdf
    • http://italysummer.fun/dell_inspiron_n7110_i7_8gb_rammq9j2.pdf
    • https://jipibivit.weebly.com/uploads/1/3/4/0/134012636/cdafb1a742a60f.pdf
    • http://fullcreditreport.info/asus_xonar_d2_drivers_windows_7_64_bitursh8.pdf
    • https://cdn.sqhk.co/muwizavo/cmWibih/head_soccer_unblocked_games_2014.pdf
    • https://cdn.sqhk.co/nogorodizet/iDh25ib/bloodsport_cast_2020.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://1f53f175-067f-4140-b001-f66bebc9855b.filesusr.com/ugd/c711d8_02cbb9a10dcf43c1a621237fdc031eb9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/23bfb0b5-db9b-4f4f-a36e-1f70d614edb1/vitutufimakum.pdf
    • https://71fc3d66-43b2-4ae0-adc3-dfbcdf8b5360.filesusr.com/ugd/6605a0_38e208b26d874f578323ea8bef81aaab.pdf?index=true
    • https://7a9095e9-4ba3-4ff7-9406-a75d0382ce8a.filesusr.com/ugd/db93e9_7a77007b2fd742b582c8f9e646276254.pdf?index=true
    • https://3f740848-0e57-4b51-8596-564812021bec.filesusr.com/ugd/cbe17c_d75fe3dcac4a492c951c2195ef54e882.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6a83fdc5-f9c4-43a4-95fa-0c765a2d4152/gre_sectional_tests_online_free.pdf
    • http://xegilejefaga.epizy.com/kofatitarugimewolagos.pdf
    • http://jopakete.rf.gd/jindal_aluminium_sheet_weight_chart.pdf
    • http://sumewapedujevi.rf.gd/how_do_you_know_what_size_water_softener_to_get.pdf
    • http://rupemogevewis.rf.gd/aprender_ingles_gratis.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f0aa.bin
6d5c10adfe56675de60489b740b32dfe7eb9aacad7c6ef42d952f20a9c026797		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0AA 5116 bytes
font_01_sfnt_off0001022e.bin
daad3f347a4f42f432ee9983e619a7c063e36761dba5934b469418034847e28e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1022E 1800 bytes
font_02_sfnt_off00010abc.bin
ef77e19625cdf04ca9f7be3ebeb951fd84259d1315d86551ded24799d754f0b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10ABC 11268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.