Malicious PDF — malware analysis report

Static analysis result for SHA-256 003cc8534b62d1a9…

MALICIOUS

PDF

339.5 KB Created: 2021-03-22 06:03:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 88eabe39ea3490d425bcfeeab42e080d SHA-1: 55b7db995c6fa57b5abfbb98a5ee434178a77b65 SHA-256: 003cc8534b62d1a90106bd904b3117863a240fdea34a0a6b361b982acf033a38
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as a phishing trojan. The document contains an embedded URI pointing to a suspicious domain, likely intended to deliver a malicious payload or phish for credentials. No scripts were extracted, but the presence of embedded URLs and the overall detection profile strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9800

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=amerika+serikat+pdf
    • https://cdn.sqhk.co/zezetemirag/eLhh3je/map_my_walk_apple_health.pdf
    • https://cdn.sqhk.co/mejofiwog/cgggewl/mermaids_cher_trailer.pdf
    • https://cdn.sqhk.co/wumidimux/vTggghd/83420358393.pdf
    • https://cdn.sqhk.co/xolokenuw/giAgii6/lavizopijuburalel.pdf
    • https://cdn.sqhk.co/xemuxebu/gtgdnF8/ics_field_operations_guide.pdf
    • https://cdn-cms.f-static.net/uploads/4475564/normal_5fd63de6a6117.pdf
    • https://cdn.sqhk.co/madumubo/jcDOOKT/83244462146.pdf
    • https://cdn.sqhk.co/letijefa/hiihggg/project_manager_resume_template_microsoft_word.pdf
    • https://cdn-cms.f-static.net/uploads/4393346/normal_5fd22521ae4ca.pdf
    • https://cdn.sqhk.co/xemugugafot/higgiie/lowizomerijogopiximume.pdf
    • https://cdn.sqhk.co/lixabanitav/aojb5Sv/tigidobisamazo.pdf
    • https://cdn.sqhk.co/bovokolel/gz6hfbG/zudibanopazitixaxogujij.pdf
    • https://cdn.sqhk.co/xawefigi/iaa7iaj/sekikitevawufo.pdf
    • https://cdn.sqhk.co/fitamorigob/jSHLie6/banudobibejexevogod.pdf
    • https://cdn.sqhk.co/gigemuji/MjiKaiz/45019427723.pdf
    • https://cdn-cms.f-static.net/uploads/4411229/normal_604ee97e1fccd.pdf
    • https://cdn.sqhk.co/rilixuzewiv/ihfieij/video_calling_app_free_wala.pdf
    • https://cdn-cms.f-static.net/uploads/4462775/normal_5fe9c54045753.pdf
    • https://cdn.sqhk.co/tawunipufop/8hjgPd1/40879277161.pdf
    • https://cdn.sqhk.co/rumobotituda/oycghjd/bi_weekly_payroll_calendar_2017_template.pdf
    • https://cdn.sqhk.co/feziwetesene/j1zbtuM/90789130921.pdf
    • https://cdn.sqhk.co/xurazegoba/hdijD9i/police_and_criminal_game_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b564fea6-732e-489f-a029-a72dc6590de2.filesusr.com/ugd/6a4619_8dfd715d949b4381955631de0996c24e.pdf?index=true
    • https://35057dd6-1d18-4acd-96c9-af3b7fddc7cd.filesusr.com/ugd/978dd5_bbcfb07f659149ec998f9e421aa31fff.pdf?index=true
    • https://298c7861-702e-4dad-8e6b-798164301c36.filesusr.com/ugd/98adb1_bc57c17b93b340a4a867c37a239edff8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004b3d0.bin
c6c0366a4f28e70031a7cfba9f1cda38e33f16ccd0a85cfa8b8f561398bc116d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B3D0 16588 bytes
font_01_sfnt_off0004e842.bin
391dccdd1e8bbddc6c39153ecdf9fe85a98cda97b92459d44362f923ddcb3f93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E842 5208 bytes
font_02_sfnt_off0004f9e5.bin
91644ac32d3f5b073f312d5f956a6392bc193cf88401b209b49def9bdbd99725		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F9E5 15208 bytes
font_03_sfnt_off00052a64.bin
b030f2dd2b973d74ed7ad58b3ce3d1f27c97582edb9dd60003ab4db0fd557eaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52A64 16208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.