Malicious PDF — malware analysis report

Static analysis result for SHA-256 00404c1002d424a3…

MALICIOUS

PDF

73.8 KB Created: 2021-03-20 01:40:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f4805dc3f3b126464b0bb75be2ae8126 SHA-1: 73291a4f3fd5865efe0d97dcb9f505410a1d10b5 SHA-256: 00404c1002d424a366ddeb3aec2430f90455e1466f89f649ad5a9be46843a98b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains multiple embedded URLs, one of which, 'https://leonvi.ru/award?keyword=advanced+antenna+theory+pdf', is directly flagged as an external URI. The ML classifier and ClamAV detection strongly indicate maliciousness, classifying it as a phishing trojan. The document body, though heavily obfuscated, suggests a lure related to 'advanced antenna theory pdf'. The presence of numerous unknown reputation URLs further supports a phishing or credential harvesting attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=advanced+antenna+theory+pdf
    • https://cdn-cms.f-static.net/uploads/4375708/normal_6029a7ce86fab.pdf
    • https://cdn.sqhk.co/mekaxosur/7s1giz2/democracy_in_america_book_review.pdf
    • https://jifurutirijiguj.weebly.com/uploads/1/3/4/5/134528482/9ead0dc2aa23.pdf
    • https://lufuwoxataj.weebly.com/uploads/1/3/1/3/131379696/ea177b0db1.pdf
    • https://static.s123-cdn-static.com/uploads/4446399/normal_5ff5211cdd5e2.pdf
    • https://cdn-cms.f-static.net/uploads/4445735/normal_602196c9bf96b.pdf
    • http://rmk4sale.xyz/bizikuwukokozeritojji84.pdf
    • http://persequenteamsohbet.com/makonobo0efir.pdf
    • http://feelslike35.com/risilizhph.pdf
    • https://cdn.sqhk.co/vomawoko/a2Oihie/35482900579.pdf
    • http://confirmationhelpcenter.com/rebanemomukixejabcpxfj.pdf
    • https://cdn.sqhk.co/zabeluzitema/gdBIjdO/slap_kings_app.pdf
    • http://boost-shop.xyz/att._net_email_setup_androidz1x12.pdf
    • http://glawerry.online/que_es_un_modelo_de_pronostico_cualitativo_y_cuando_es_apropiado42ux8.pdf
    • http://kurs1.xyz/conversin_de_mm_a_pulgadas_formulaktpht.pdf
    • https://static.s123-cdn-static.com/uploads/4365536/normal_5ff407b68d985.pdf
    • https://cdn.sqhk.co/tajixixejafi/g2iihgu/fisolodupoluzifavilax.pdf
    • https://cdn.sqhk.co/bubiwalifeda/gjjhk1X/car_running_colder_than_usual.pdf
    • http://playmarket-online.com/glasswire_data_usage_monitor_pro_apkd71ms.pdf
    • https://static.s123-cdn-static.com/uploads/4499660/normal_5ffdd4ee66e0a.pdf
    • http://lnstagramcopyrightservices.org/100_dollar_startup78u6s.pdf
    • http://fabulouss.space/xovadorir16rmn.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://80c93ba6-74df-4afb-9852-3a83eaba20e3.filesusr.com/ugd/4cf28d_c260ed5dbcab436fabc19663d7f61921.pdf?index=true
    • https://3ae4d138-4ba3-4962-98fb-1b98b40a6a82.filesusr.com/ugd/38062a_5c41c75fde7441e0a5163df89381e007.pdf?index=true
    • https://7afcd0b8-98df-42a4-afe0-9544d44c9539.filesusr.com/ugd/74e9cf_e7100bd7377e4780994832862c177e0e.pdf?index=true
    • https://eda93683-a6ca-45e9-8056-ca7adea7f1dc.filesusr.com/ugd/d655db_e75e8a99f34746b3b7682be88d4e17d8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e191.bin
b1aa4ad813f319a638dcc8ff65c2b6f53b7131105f13cc969d02bf35081276cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE191 5184 bytes
font_01_sfnt_off0000f340.bin
a80f53e30453ee8a6262794d6e250a8754a8acb14d17ee6998c7812efce067a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF340 11460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.