Malicious PDF — malware analysis report

Static analysis result for SHA-256 10674d653abb9818…

MALICIOUS

PDF

77.7 KB Created: 2021-04-01 10:30:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c30f5de284f90540a49c4db796369e0b SHA-1: eabbe9977f4b66a169875c02980092157b8b0971 SHA-256: 10674d653abb9818f8e349ac8c98177e86f13e073b5ef73bae70a59517d32364
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an embedded URL that directs users to a suspicious domain, likely to deliver a secondary payload or phish for credentials. The document body, though heavily obfuscated, suggests a lure related to 'yoga poses for kids printable'. No scripts were extracted, but the presence of external URIs and the overall detection profile strongly suggest a malicious intent to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=yoga+poses+for+kids+printable
    • http://favanitum.iblogger.org/lexunazisukovetilevodokid.pdf
    • https://cdn.sqhk.co/tenokesime/R2hcA5N/jewobiweborusedifizozipa.pdf
    • https://cdn.sqhk.co/sufajezugi/heah0SB/laviwevunoxinifasobitige.pdf
    • http://nodebefituju.iblogger.org/dictionary_english_french_download.pdf
    • https://cdn.sqhk.co/jotapepikota/gflgdiC/62826543351.pdf
    • https://cdn.sqhk.co/fikalibumi/igcLqjb/nyc_police_accident_report_online.pdf
    • https://cdn.sqhk.co/gabixeme/hiVoihi/81012037843.pdf
    • http://simamopi.22web.org/mirae_asset_mutual_fund_sip_form.pdf
    • http://rekopeza.22web.org/bluestacks_offline_installer_filehippo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/89c25b84-f3d3-4ad7-971f-0c552bf521c4/spanish_family_words_quizlet.pdf
    • https://s3.amazonaws.com/wulotugadag/sloan_flushmate_handle_repair_kit.pdf
    • https://s3.amazonaws.com/tixedujegibex/what_was_life_like_for_peasants_before_the_black_death.pdf
    • https://uploads.strikinglycdn.com/files/b66e8921-3122-4ef6-b94e-cfce6225ebee/canon_p23-dh_v_wont_print.pdf
    • https://uploads.strikinglycdn.com/files/b9461c77-2706-4612-bd20-bd6dd40c2864/zabomiwokaligawenom.pdf
    • http://muriratutujifor.rf.gd/jexuxagofu.pdf
    • http://diturasenupope.epizy.com/1663418479.pdf
    • http://zisoramemib.rf.gd/36042748579.pdf
    • http://lalesokam.epizy.com/airway_assessment_and_management.pdf
    • https://s3.amazonaws.com/fekaduvopigab/zadubasesobuj.pdf
    • http://lememisuxelivem.rf.gd/fonutuvitofawolaxezawom.pdf
    • http://jowemalawebabe.rf.gd/anti_inflammatory_diet_menu.pdf
    • https://uploads.strikinglycdn.com/files/8122925d-bcb7-43ab-8906-0d74b25c2843/the_500_greatest_songs_of_all_time_mp3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef84.bin
70cfde0c296c747d222001c036aaf842101e88cfe94a2bbb69504ef71ed9774a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF84 5376 bytes
font_01_sfnt_off000101d8.bin
ae52f97399448762a5309dd441dccc27d5e53215e77ddac29480c7ed0e683cf1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101D8 11260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.