Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ad848b30e2d5efc…

MALICIOUS

PDF

79.4 KB Created: 2021-03-21 07:36:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4d23254e7902cd702d511368a9f12082 SHA-1: db01a6709c0da5050873724ce60cf53865c889d4 SHA-256: 0ad848b30e2d5efc81849fae2a13f47609ab1da620793470651d5b2e0edea901
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. The presence of an external URI pointing to 'zajinet.ru' suggests a phishing or malware distribution attempt. The heuristic 'SE_URGENCY_LURE' further supports the phishing pretext by indicating the document contains urgency language, likely to prompt immediate user action.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=okin+electric+recliner+chair+parts
    • http://pozesex.iblogger.org/7284432492.pdf
    • http://circus.market/gulukinotikosufebelavitu9lon8.pdf
    • http://starkrobotics.org/bosavejusemexa8ucbf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6d21d3bc-3f4c-43e9-ab63-9b62a6b64b5b/hp_laserjet_pro_400_color_printer_m451nw_firmware_update.pdf
    • https://uploads.strikinglycdn.com/files/fe7900da-1f57-40af-854a-61618a1c8795/87045228538.pdf
    • https://uploads.strikinglycdn.com/files/a8ae1d9e-33a2-44d6-b21e-0e43fecfb8af/92042431248.pdf
    • https://uploads.strikinglycdn.com/files/879457a4-60f4-4aa5-9a05-15992cd7fe99/las_mejores_frases_de_el_caballero_de_la_armadura_oxidada.pdf
    • https://uploads.strikinglycdn.com/files/8992e3b4-4e9b-497c-9e1a-f79ce4036364/salary_for_mba_in_operations_management.pdf
    • https://uploads.strikinglycdn.com/files/67ccaa3e-177b-48a5-9944-9d9cc7d7fc20/iit_foundation_books_for_class_10_mathematics.pdf
    • https://uploads.strikinglycdn.com/files/5c6eeffa-e739-4b2f-90b3-97ae93f486fe/how_to_write_a_historical_story_ks2.pdf
    • http://vomovawesojuti.epizy.com/77090088570.pdf
    • https://uploads.strikinglycdn.com/files/c29a00b4-1c0c-48c6-831d-ba06f8fe3b95/biwawoxosub.pdf
    • https://uploads.strikinglycdn.com/files/6d32af4b-24b4-477b-9444-89b7f1d0f17c/41865340095.pdf
    • https://uploads.strikinglycdn.com/files/dad833c0-0c6a-4ecd-9117-b2c92be20262/best_coding_books_for_beginners.pdf
    • https://uploads.strikinglycdn.com/files/1aa92a73-4466-4b3d-bb4e-4ff25bf84009/new_american_cuisine_cookbook.pdf
    • https://uploads.strikinglycdn.com/files/4d41b693-7e3f-44e3-9a79-d1e4afadebeb/79687365178.pdf
    • https://uploads.strikinglycdn.com/files/eadda7f0-5151-495b-9102-e1c46782c57c/samsung_galaxy_tab_4_sm-t337a_16gb.pdf
    • http://nupopejif.epizy.com/44364653494.pdf
    • https://uploads.strikinglycdn.com/files/991b7cac-e1de-49c1-817e-ec5c834f2b64/how_does_plate_boundaries_cause_earthquakes.pdf
    • http://bopexetosezulav.rf.gd/mukalesozugi.pdf
    • https://uploads.strikinglycdn.com/files/7f3608ab-a615-4592-8a0b-0cf7430b6276/how_many_carbs_are_in_starbucks_coconut_milk.pdf
    • https://uploads.strikinglycdn.com/files/10facfc2-bed8-4138-9a24-7d8532269679/descriptive_writing_grade_5_examples.pdf
    • https://uploads.strikinglycdn.com/files/6c742b7f-6b93-479d-b450-3b19e1cf9b32/solajuturenuzubopidulusex.pdf
    • https://uploads.strikinglycdn.com/files/c4af4805-67f1-4e12-a117-b42c615e5d02/la_mascara_de_la_muerte_roja_pelicula_online.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e74e.bin
8f8d04ca0cba85409856e5835bad3fecec8a8d7ec1e8ed4e56c208c24465a140		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE74E 4404 bytes
font_01_sfnt_off0000f6d0.bin
a7b78ced3e83b9d1fe1cb51d6d86851807c06878448d3c5e6f9eb2d06625f032		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6D0 5112 bytes
font_02_sfnt_off00010830.bin
ca53339c1fc2669684dfafa7f3c998b0d64e9cac0a348068e697ca6508afcbdf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10830 11088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.