Malicious PDF — malware analysis report

Static analysis result for SHA-256 03c2293f9f7dad05…

MALICIOUS

PDF

73.7 KB Created: 2021-03-10 11:24:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 54b87f8d9abd5e95372bdea524a450d5 SHA-1: 7603ebf263262ac3c45269764bb374fe2a03042a SHA-256: 03c2293f9f7dad0547151f9967f97a799b0175ef1971608f452d0f8c676f8e78
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to host malicious content or redirect the user. The document body, though heavily obfuscated, suggests a lure related to a driving manual, aligning with common phishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=az+driving+manual+2019
    • https://static.s123-cdn-static.com/uploads/4421366/normal_5ff01631cffc3.pdf
    • https://static.s123-cdn-static.com/uploads/4401538/normal_5febeded15b98.pdf
    • https://cdn-cms.f-static.net/uploads/4448750/normal_601ae2de5152d.pdf
    • https://cdn-cms.f-static.net/uploads/4369166/normal_602441d1abaad.pdf
    • http://sekelenogake.getenjoyment.net/9771683768.pdf
    • http://zedateve.mypressonline.com/beats_by_dr_dre_studio_1_manual.pdf
    • http://juvizex.sportsontheweb.net/66089291440.pdf
    • https://cdn-cms.f-static.net/uploads/4501028/normal_6022256f87829.pdf
    • http://furogoverakafex.22web.org/michigan_dnr_fisheries_reports.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9adde6b5-5507-4180-bf27-5115c9bdfe70/netgear_n600_wireless_dual_band_router_installation.pdf
    • https://uploads.strikinglycdn.com/files/3c78eab7-cdad-4db3-8bd3-5caefe6e385f/22615649858.pdf
    • https://ebba3e40-d49f-4cc8-b137-373bb1124918.filesusr.com/ugd/384ea4_e7c0916320654d67af89216bbe0a212e.pdf?index=true
    • https://a161ff94-1a6f-4367-b6f8-8e513a5e676d.filesusr.com/ugd/4c7633_02a4273d95f74efc91348dde0212e278.pdf?index=true
    • https://6b52f5a6-db44-4d3e-8337-ab33c729cb13.filesusr.com/ugd/f4de5e_93799c451a554b1490bc04880546b21f.pdf?index=true
    • https://98771922-91e4-4673-aa0d-7794f4435593.filesusr.com/ugd/b6aaa0_7a6c9142ce654a2a9b513df70f1730ab.pdf?index=true
    • https://506dbbd1-d4b3-44b1-a4c9-6b5d0cab6a23.filesusr.com/ugd/c75f60_f019f5ece6124698a58706bc21fb9dae.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1268a0c5-6163-4274-916d-8cccf896ae6c/los_cinco_lenguajes_del_amor_test_para_esposos.pdf
    • https://748e6e98-33e2-4bd1-95aa-01ea3505a154.filesusr.com/ugd/704f6c_b7fdf9fc61c84dc3be91e10be18359bb.pdf?index=true
    • http://fazetotunoju.epizy.com/various_layout_templates_in_powerpoint.pdf
    • https://uploads.strikinglycdn.com/files/04a4efbe-4da5-4fc7-96fc-22ed87b6c58a/15841491726.pdf
    • https://bc5ba30c-e427-49eb-abc4-9677f18f04c1.filesusr.com/ugd/bcd086_d83047606ae643d493bed15b5ff41107.pdf?index=true
    • http://xonatude.epizy.com/descriptive_geometry_answers.pdf
    • https://6cbe2f5c-748b-4bc6-b691-25a968a47885.filesusr.com/ugd/d6b5da_25f41de9f36c4c82815bffcb6dc18d65.pdf?index=true
    • http://dugerem.atwebpages.com/what_is_the_cottage_law_in_texas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e248.bin
b9681fb66fdcaf0ab72cf053cbbfd9302d6e91be3048e4309cfb9e5a2df6810c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE248 5548 bytes
font_01_sfnt_off0000f526.bin
31a2849027029bc082eb1d831c702c843db4499c4de9b9b1a8a1267ebc91d0a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF526 10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.