Malicious PDF — malware analysis report

Static analysis result for SHA-256 1326ea38e916d43c…

MALICIOUS

PDF

77.4 KB Created: 2021-03-16 11:41:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 010780a0313361877f35667c4ce4129c SHA-1: 117a10d69d02a45689385c6801e436c7fdda9964 SHA-256: 1326ea38e916d43c4c740425746efead8ebede168d5f1f821cba9f8243130b2d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojanized PDF. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The presence of multiple embedded URLs further supports a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wb?keyword=are%20wrist%20based%20blood%20pressure%20monitors%20accurate
    • https://cdn.sqhk.co/kubepugemaki/lVy6jd2/59582851942.pdf
    • https://cdn-cms.f-static.net/uploads/4476282/normal_60153dcf719fd.pdf
    • https://cdn.sqhk.co/kamavedes/sijLlge/nitro_drift_io_games.pdf
    • http://lomidal.mygamesonline.org/how_to_reset_my_innova_3100.pdf
    • https://cdn-cms.f-static.net/uploads/4450140/normal_605006948d88c.pdf
    • https://kebolegenadudus.weebly.com/uploads/1/3/1/4/131454121/e445605d13.pdf
    • https://cdn-cms.f-static.net/uploads/4445128/normal_600e43fc39cd3.pdf
    • http://nopuvobetag.mygamesonline.org/naniwutanas.pdf
    • https://cdn.sqhk.co/mifigatira/cwZQbkm/word_connect_answers.pdf
    • http://xerujupuje.sportsontheweb.net/shakespeare_poems_about_love.pdf
    • http://juwupexutaval.mywebcommunity.org/96726250874.pdf
    • https://cdn-cms.f-static.net/uploads/4387241/normal_5fd972359b27f.pdf
    • https://static.s123-cdn-static.com/uploads/4459325/normal_60024a71c5454.pdf
    • http://fesunasisodenod.getenjoyment.net/buku_osn_biologi_sma_tobi.pdf
    • https://cdn.sqhk.co/rubupidorinu/bjbif10/98836546567.pdf
    • https://retetozatinum.weebly.com/uploads/1/3/0/7/130775023/dexapa.pdf
    • http://mumolazesinidix.getenjoyment.net/debawuvevudiliseji.pdf
    • https://woduluzotuni.weebly.com/uploads/1/3/4/3/134373450/laselesizajivat.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://bebojivim.myartsonline.com/padesa.pdf
    • http://binuwuzipu.myartsonline.com/tuwefeteluf.pdf
    • http://josesomesube.myartsonline.com/jigatane.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f07d.bin
0d18f53a95bbdc5754385899bb72fcfdb1e3592fea21b60e8612bb38a0edb87d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF07D 5440 bytes
font_01_sfnt_off000102f6.bin
e6c74dcdcbb8564aa103f2ee9dd55f9bd9f1efcbb37fa370fca3c81a23a7ff96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102F6 10804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.