Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b6589d6bd925db2…

MALICIOUS

PDF

79.8 KB Created: 2021-04-15 08:16:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f9bf395b1fbfd8f2c667e8a59d97ad32 SHA-1: 546d4670c9a5135bad98d95e7afc1f2a8aed634c SHA-256: 0b6589d6bd925db28747477ee811443ee933541e70567323670d92fde1889f6f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, which is a strong indicator of a phishing or malware distribution attempt. The ML classifier and ClamAV detection further support the malicious nature of the file. Although no scripts were explicitly extracted, the presence of embedded URIs and the overall detection suggest the document is designed to redirect users to malicious content, likely for credential harvesting or further malware deployment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/strik?utm_term=how+many+calories+should+a+small+dog+eat+per+day
    • https://cdn.sqhk.co/kuwusemob/D8ifij3/27208998277.pdf
    • http://pasadurasasagi.medianewsonline.com/lowoxezedudasametonosese.pdf
    • https://static.s123-cdn-static.com/uploads/4366381/normal_5feb28ce94469.pdf
    • https://cdn.sqhk.co/loxowopiv/iaM9wid/dragon_quest_of_the_stars_vocation_guide.pdf
    • https://cdn-cms.f-static.net/uploads/4418970/normal_60172660b07b7.pdf
    • https://cdn.sqhk.co/letabuner/CiekgkJ/suxina.pdf
    • http://moradudipomibo.mypressonline.com/42608182006.pdf
    • https://cdn.sqhk.co/zejizoguzut/hHiai03/fapenozawuwow.pdf
    • https://static.s123-cdn-static.com/uploads/4374380/normal_60083ac4bd215.pdf
    • https://cdn-cms.f-static.net/uploads/4413469/normal_6052d0bda19f8.pdf
    • http://fajasated.mywebcommunity.org/86017344004.pdf
    • https://cdn.sqhk.co/bomikiwolug/x3MB6gg/voice_changer_pro_apk_free_download.pdf
    • https://cdn-cms.f-static.net/uploads/4420018/normal_60197ca4d1f9c.pdf
    • https://cdn-cms.f-static.net/uploads/4452373/normal_604ccf0775e03.pdf
    • https://cdn-cms.f-static.net/uploads/4382793/normal_6035f0e4a77b1.pdf
    • https://cdn.sqhk.co/xekejegixawo/gjYzijp/mr_future_ninja_apk_download.pdf
    • https://cdn.sqhk.co/kowetitemaro/9jhgjyc/can_you_glaze_pottery_without_a_kiln.pdf
    • https://static.s123-cdn-static.com/uploads/4475874/normal_5fe19358802c7.pdf
    • https://cdn-cms.f-static.net/uploads/4417429/normal_60563c0104cfe.pdf
    • http://mofemaruwek.sportsontheweb.net/45872162186.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://bibezakomi.myartsonline.com/xuvepag.pdf
    • http://womidelere.myartsonline.com/excel_and_succeed_biology_book_4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e7f4.bin
705a40f2f1299da93398ac562f39fb8e280a7b0d058145836d6dafd55d8ad212		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7F4 6812 bytes
font_01_sfnt_off0000f927.bin
c5f41f880a561701ce1fd1a2c81f8c2353ee8b4ad3a9587c8854f965952a9fba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF927 5644 bytes
font_02_sfnt_off00010c3a.bin
9347ac7fa46b5ab98be9de39d2f0bb1776553d613fb98005946c7e953a057240		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C3A 10736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.