Malicious PDF — malware analysis report

Static analysis result for SHA-256 01fe94a2b8b879e2…

MALICIOUS

PDF

79.7 KB Created: 2021-03-30 03:29:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: b055e4049c1f6a9719c02c60e07f4aa3 SHA-1: 733f8b4ae44f7981c7c09916952fda22471d1485 SHA-256: 01fe94a2b8b879e24f77c48c46209d471e052e7d2705d71363c11f1ddb734c1f
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The file is a PDF document flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. Heuristics indicate it contains external URIs and a callback phishing lure, suggesting it aims to trick users into contacting a fraudulent service. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the heuristics strongly suggest an attempt to exploit the user through social engineering, likely leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=how+to+play+disney+family+feud+instructions PDF link annotation
    • https://cdn.sqhk.co/roretuduva/icvEfih/too_many_birds_callahan_lyrics.pdfIn PDF document text
    • http://tiktokfrance.fun/674520621503sv4i.pdfIn PDF document text
    • http://muldwych.com/279118972047dhwd.pdfIn PDF document text
    • http://odemebayisitrafik.com/trisha_yearwood_skillet_apple_piey7v71.pdfIn PDF document text
    • http://flebolog24.com/29855201633c2fnw.pdfIn PDF document text
    • http://reduslim-italiaufficiale.site/sivugukividogegolijopol3q8i.pdfIn PDF document text
    • https://cdn.sqhk.co/kifukuvitog/Um6jfhd/easy_screen_recorder_crack_app.pdfIn PDF document text
    • https://cdn.sqhk.co/letarezetap/glkiijh/37947139217.pdfIn PDF document text
    • https://cdn.sqhk.co/kuwusemob/CeW8Yie/rimidozilitimonofitiga.pdfIn PDF document text
    • http://toletisugudasa.iblogger.org/why_do_guys_pull_back_after_intimacy.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/suzujewa/adverbs_worksheet_ks2_tes.pdfIn PDF document text
    • http://wazikaje.rf.gd/13667332608.pdfIn PDF document text
    • https://s3.amazonaws.com/nitirew/ibm_spss_statistics_24_brief_guide.pdfIn PDF document text
    • http://sekovukubetib.epizy.com/bandish_song_likewap.pdfIn PDF document text
    • https://s3.amazonaws.com/nowokil/39922239567.pdfIn PDF document text
    • http://kitomov.epizy.com/xbox_360_wireless_controller_instruction_manual.pdfIn PDF document text
    • http://xegiseko.epizy.com/40556462435.pdfIn PDF document text
    • http://tibimixokafif.epizy.com/vezumovowobujum.pdfIn PDF document text
    • https://s3.amazonaws.com/bagisi/duzozonux.pdfIn PDF document text
    • http://senapofo.epizy.com/repibutumufu.pdfIn PDF document text
    • https://s3.amazonaws.com/pululusodogi/does_potassium_nitrate_incorporate_ionic_bonding.pdfIn PDF document text
    • http://livutogugusal.rf.gd/tabotonamigob.pdfIn PDF document text
    • https://s3.amazonaws.com/mejigavukolu/nulawavagodurivonu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea58.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA58 5340 bytes
SHA-256: 4e36879c911ca41daeaad59edc404567d98cb250f06c7a9054e318cd2ca90e6f
font_01_sfnt_off0000fc7b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC7B 10804 bytes
SHA-256: cfac874fb6a5926a5e95e03b12fdb28a3adb7e7191e4e82157c26098b7d6bc18
font_02_sfnt_off0001214a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1214A 4324 bytes
SHA-256: a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f