Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a431349711186c2…

MALICIOUS

PDF

68.1 KB Created: 2021-03-13 13:23:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ae648188fed0c1d9a8b83ab30377292d SHA-1: 53f4ae5cdb30d5fca1555e9d08a3e5941ee350c2 SHA-256: 1a431349711186c275471badc38ade60d1ab7bd11fbb37f2f41e74a600bd49e3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of an external URI pointing to a URL that appears to be a lure for 'adjectives worksheet pdf grade 1' suggests a phishing or social engineering attack. While no scripts were explicitly extracted, the PDF structure and embedded URLs are strong indicators of malicious activity, likely involving the redirection of users to a compromised site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=adjectives+worksheet+pdf+grade+1
    • http://zawugudumi.getenjoyment.net/has_the_crown_been_approved_by_the_royal_family.pdf
    • https://kusopexel.weebly.com/uploads/1/3/4/5/134526262/685879.pdf
    • http://bovewitavivebu.getenjoyment.net/what_is_a_peter_principle.pdf
    • https://cdn-cms.f-static.net/uploads/4415518/normal_601aff8136c0f.pdf
    • https://wudowured.weebly.com/uploads/1/3/0/8/130873715/namazokema_wisov_mowezikox_porijofok.pdf
    • http://sevezor.scienceontheweb.net/xawedutafel.pdf
    • https://koxabiwepa.weebly.com/uploads/1/3/4/3/134309970/633bc9d.pdf
    • https://static.s123-cdn-static.com/uploads/4471253/normal_5fe5a8a32afd7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/divexikav/fobosad.pdf
    • https://s3.amazonaws.com/gimisorixosu/dosti_shayari_video_whatsapp_status.pdf
    • http://xedaxabefax.rf.gd/sozewilofujopu.pdf
    • http://jezanijumoz.epizy.com/jeu_de_cartes_a_3_facile.pdf
    • https://s3.amazonaws.com/fejakixoweka/vezovozudivawasiba.pdf
    • http://poramukuwulaji.epizy.com/xirowexifujew.pdf
    • http://womidelere.myartsonline.com/76327697812.pdf
    • https://bf6af823-cb0d-4ee8-9d5b-4f0b1de5ed24.filesusr.com/ugd/9eb187_b7e6bdf126f7418cb2c727006f2b65c8.pdf?index=true
    • http://zinizebaki.epizy.com/adventure_island_map.pdf
    • http://fufifaramulemi.rf.gd/goroke.pdf
    • https://c78ffd2e-fc3d-4272-86ca-968d835fb7ad.filesusr.com/ugd/0f9ef0_dbd87097e9db48298b31919bb9a5d8ba.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb7c.bin
16fc12057720cd3910a92565912cd54b64dcd0d1899fc055f294f45f174fddf3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB7C 5720 bytes
font_01_sfnt_off0000df19.bin
7b029b9dd41eb15c30d6023ece20825ee0915c398bee7cfa9879d1a639dbb4ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF19 10468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.