Malicious PDF — malware analysis report

Static analysis result for SHA-256 121a7a68d673692e…

MALICIOUS

PDF

74.2 KB Created: 2021-03-18 08:56:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a1bd9ee65ac83b165cc0a9fd333afeb SHA-1: b50aff74fdf9323ef07a18c171b3a5efcb53187d SHA-256: 121a7a68d673692ef3407a69234ad6a2a6e644c75da6dcc8e9523ce4c6db6ac5
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, a common technique for exploiting PDF vulnerabilities or initiating malicious actions. The document body, though heavily obfuscated, suggests a lure related to 'test answers'. The presence of an external URI pointing to zajinet.ru further supports the malicious intent, likely serving as a download or redirection point for a second-stage payload. The ML classifier and ClamAV detection strongly indicate maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=unit+4+renaissance+and+reformation+test+answers
    • http://vamefegali.mywebcommunity.org/beginning_piano_songs.pdf
    • http://bibivire.mygamesonline.org/sopejetakovozolapana.pdf
    • http://gufopitasuwo.22web.org/76531584993.pdf
    • http://tekeriset.iblogger.org/any_video_cutter_free_filehippo.pdf
    • http://consequences.space/xafasuwijubovifempoo.pdf
    • http://bejawutipage.mywebcommunity.org/74035775586.pdf
    • http://retapadu.medianewsonline.com/sodarijakixevuf.pdf
    • http://wosedumuf.mywebcommunity.org/47870211388.pdf
    • http://tulusujubige.mygamesonline.org/dr_ben_carson_books.pdf
    • http://buylettersonline.com/etsy_logo_template89uvb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://jezujemoxube.epizy.com/97949474666.pdf
    • http://sinubazafapeni.rf.gd/animal_encyclopedia_book.pdf
    • http://bimegisekew.epizy.com/jejujurisojaw.pdf
    • http://sowezenuvafe.epizy.com/pokemon_arceus_movie_free.pdf
    • http://roveramo.atwebpages.com/geometric_series_problems.pdf
    • http://xakitidopapav.epizy.com/dozofiduranurax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4fe.bin
d27f5c236ec7de4052eac074a6823b4928c6f2a0c0ef3980a52c97037ea458d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4FE 5304 bytes
font_01_sfnt_off0000f70e.bin
6ff01a499cf6d523112d7a4d2c6b50f314e06ed60b7a8c768b82652770ad2b44		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF70E 10756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.