Malicious PDF — malware analysis report

Static analysis result for SHA-256 141180244113851e…

MALICIOUS

PDF

95.2 KB Created: 2021-03-25 06:24:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8134d356da42cd04c4ffb2e4aa541fca SHA-1: 62ad43703759b714b0adca874e1be8f6327f9889 SHA-256: 141180244113851ed3799e2bddc8981965a4697911bbe2ecad6e3074e1d958a7
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. The embedded URL and the heuristic 'SE_CALLBACK_LURE' indicate a phishing attempt, likely to trick users into visiting a malicious site disguised as a loan application form. No scripts were extracted, but the PDF structure itself contains the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=application+form+for+sbi+home+loan+pdf
    • https://xatevixi.weebly.com/uploads/1/3/4/6/134651360/5163785.pdf
    • https://static.s123-cdn-static.com/uploads/4490365/normal_5fc8348522e2b.pdf
    • https://cdn.sqhk.co/nedabuke/yhjBKhg/73051502859.pdf
    • https://static.s123-cdn-static.com/uploads/4368975/normal_60034e37d0a1c.pdf
    • https://pomegikupabuvad.weebly.com/uploads/1/3/4/1/134133078/ba5bac9f77da85.pdf
    • https://cdn-cms.f-static.net/uploads/4420745/normal_5fd6383144a66.pdf
    • https://cdn.sqhk.co/fiziroluj/J2jijbe/asset_management_books_for_beginners.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://d2faa26e-66ca-44cd-8f84-883624a71019.filesusr.com/ugd/dbbfd0_70a588f136594974873e05dc29bf742b.pdf?index=true
    • https://df4002df-ed14-466c-b758-10ced248c840.filesusr.com/ugd/3b03e6_b69339f3e61a477da9d43b12ad46d84d.pdf?index=true
    • https://s3.amazonaws.com/xuvamuba/turn_mixed_numbers_into_improper_fractions_worksheet.pdf
    • https://4c72699b-aa2e-4dc8-8bd5-1a54e8f938a6.filesusr.com/ugd/f3cb45_4a201353f64844b5bf4e0cd7a78aa2f0.pdf?index=true
    • https://edefa294-c65c-46c5-840b-8a4669b9fdfe.filesusr.com/ugd/e4a001_0edb11c2ad6e4091995d0efb44cd2296.pdf?index=true
    • https://8c77b9b7-c39b-43d6-9406-6086bd2c0f93.filesusr.com/ugd/ee6770_b594c54d1c28490aac8ba7180708fd19.pdf?index=true
    • https://2a984544-7cb8-4a4d-9f60-e686f7994e39.filesusr.com/ugd/1434d3_a5ecf9ac4a3a4f9d856be7448a854cdc.pdf?index=true
    • https://s3.amazonaws.com/luropi/bstc_2018_paper.pdf
    • https://1e438cd7-6f3b-42ac-a97b-d13a75fa135b.filesusr.com/ugd/0c268c_6a336e5b1ad84c3d9371f176d6446118.pdf?index=true
    • https://s3.amazonaws.com/zamemigojat/justin_bieber_songs_all.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013575.bin
8cccb35205874dabc80d7b732ebd9edd52922c1607e54f93cfe3c49542660c63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13575 5524 bytes
font_01_sfnt_off00014812.bin
5158d010d123f30c0b30b96ffca509e9eea9a8aee596705d2dd56d88b061680b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14812 11680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.