Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ad2f5c8c89c3b65…

MALICIOUS

PDF

75.5 KB Created: 2021-04-01 07:38:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d7876298c46d83f492c83fb678a8d0f5 SHA-1: a33444a73635bcee20e9af1a02ea051f755b005a SHA-256: 0ad2f5c8c89c3b65825f2d4fa0ecd35957131531ea75706874ff1092560a7a2f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URL points to a suspicious domain, likely serving as a phishing lure. The PDF structure and embedded content suggest it's designed to trick users into visiting this external site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=kdd+2020+workshop
    • https://cdn-cms.f-static.net/uploads/4424630/normal_6056d8e720ff8.pdf
    • https://cdn.sqhk.co/gixeruxa/harifVP/bhakti_instrumental_ringtone_mp3_free_download.pdf
    • http://gazozasi.scienceontheweb.net/24924970419.pdf
    • https://cdn-cms.f-static.net/uploads/4468296/normal_603c3a0f8c736.pdf
    • http://jakuzilikigo.iblogger.org/50259778417.pdf
    • https://cdn.sqhk.co/jopubelo/jdPig5b/43893254604.pdf
    • https://cdn-cms.f-static.net/uploads/4492555/normal_6018ab8f98c7c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4de287da-9563-4ccf-b238-011c1cc3504c/how_to_reset_linksys_range_extender_re6500.pdf
    • https://uploads.strikinglycdn.com/files/73db0659-ddbd-4f04-b44e-f984c55e8a4e/93203353572.pdf
    • https://uploads.strikinglycdn.com/files/aff5e352-1d44-4c36-8404-67dcf1c0a5d5/whats_extended_metaphor_mean.pdf
    • https://uploads.strikinglycdn.com/files/515d655e-d9cb-4d74-9cbb-a206457e3e9c/kupez.pdf
    • https://uploads.strikinglycdn.com/files/3c99f7ba-1fa2-4de9-89e1-5a00eaa9f130/89555873771.pdf
    • http://gokobuvutojo.epizy.com/homonyms_and_homographs_worksheet_grade_3.pdf
    • https://uploads.strikinglycdn.com/files/a4b14adf-aac8-4b78-800d-99933db81753/john_deere_345_owners_manual.pdf
    • http://jumepenitujox.atwebpages.com/zesiz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eab0.bin
a9e79551971d53587a979d7ebb6a27c83de1228ee8f45168940c6dc1834d0aab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAB0 5204 bytes
font_01_sfnt_off0000fc77.bin
8f7e461e27081a81d71584a6d876e631b98fb6ef3bd40a7661da14b78e379792		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC77 10636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.