Malicious PDF — malware analysis report

Static analysis result for SHA-256 1515d0a3cc9f0abd…

MALICIOUS

PDF

76.0 KB Created: 2021-03-28 06:45:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 48eb4bc254608e463c76dfe0ac2abbf0 SHA-1: 80ea92a291b8b4e9c52d4431fe92b2c03892bb48 SHA-256: 1515d0a3cc9f0abda6663ef111d667ecc0277c0aa8fc28fe188b932c09469078
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ML classification and ClamAV, as malicious and phishing-related. The document body, though heavily obfuscated, contains references to a '2020 gmc acadia repair manual pdf', suggesting a lure to disguise malicious intent. The embedded URL 'https://bologen.ru/award?keyword=2020+gmc+acadia+repair+manual+pdf' is the primary indicator of compromise, likely leading to a phishing page or malware download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=2020+gmc+acadia+repair+manual+pdf
    • http://kekijojovif.sportsontheweb.net/acidic_alkaline_food_chart.pdf
    • http://govuled.mywebcommunity.org/budijisojov.pdf
    • http://vsspb.ru/magical_unicorn_society_riddle_answerkt45n.pdf
    • http://dekiweragaf.mywebcommunity.org/intex_krystal_clear_saltwater_system_model_cs8110_manual.pdf
    • http://idealslimitalia-oficial.site/birthday_image_for_brother463pk.pdf
    • http://kegetisa.mygamesonline.org/86591136692.pdf
    • http://sakaxek.mygamesonline.org/gezugomiwawenazuminev.pdf
    • http://paxosij.mygamesonline.org/lamarovidozam.pdf
    • http://tejovotemikodes.getenjoyment.net/john_boardman_alexander_the_great_from_his_death_to_the_present_day.pdf
    • http://womovenum.sportsontheweb.net/essential_idioms_in_english_intermediate.pdf
    • http://pixunune.sportsontheweb.net/tecknet_ipad_keyboard_instructions.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/232f5692-1976-4307-a763-50aa1528745a/29823864198.pdf
    • https://uploads.strikinglycdn.com/files/5048ee99-1e87-41e1-bcc9-b4e5ac9d4a60/kuvumizawexesabagozenezax.pdf
    • https://s3.amazonaws.com/redegelesibif/why_is_my_whirlpool_washer_leaking_from_the_bottom.pdf
    • https://s3.amazonaws.com/legobegutulo/88846685345.pdf
    • https://uploads.strikinglycdn.com/files/4cf4780c-e121-4334-a0e3-29474bd21852/honda_civic_2006_battery.pdf
    • https://s3.amazonaws.com/xotomisen/rofubegigilojexu.pdf
    • https://uploads.strikinglycdn.com/files/83a94a79-510a-450b-8aaa-0e6712271ff7/29005020493.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9ba.bin
e765cea4aaeb0571dc42c20aeaf73fa627931f3c424af98e1b0cd1e7c9b8c1f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9BA 5476 bytes
font_01_sfnt_off0000fc46.bin
0548a3576346941f1f56f7b1775080ee0b8ecbcf8fd53fc48dca54358440b875		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC46 11496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.