Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d71e0e705524035…

MALICIOUS

PDF

79.1 KB Created: 2021-03-15 13:47:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ba1654a461b152d36b40f5572418f509 SHA-1: ea5180c3f7fdb48c1df104dd5de498c58f89fdbd SHA-256: 1d71e0e705524035b094a141f04be1569793b0129b57312b2b3b8a836dc543db
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a URL that mimics a search result for a bible PDF, likely as a lure for phishing. ClamAV and ML classifiers flagged this PDF as malicious, indicating a high probability of malicious intent. The embedded URL points to a domain that is likely part of a phishing or malware distribution infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=ethiopian+orthodox+amharic+bible+pdf
    • http://rm-swis-mine.com/bob_revolution_flex_3.0_jogging_stroller_graphite_black_old_versionl5ubw.pdf
    • https://static.s123-cdn-static.com/uploads/4415770/normal_6006a6e94b037.pdf
    • http://silkhfig.bid/41237893186b6v8d.pdf
    • https://cdn-cms.f-static.net/uploads/4389354/normal_60103d5eca170.pdf
    • https://static.s123-cdn-static.com/uploads/4500887/normal_5ff3556c8169c.pdf
    • http://likemulig.iblogger.org/lineman_s_and_cableman_s_handbook_12th_edition_download.pdf
    • http://yewes.fun/wepelumawib2glew.pdf
    • https://static.s123-cdn-static.com/uploads/4424981/normal_5feb1ba7d6ae8.pdf
    • http://fortuneo.best/buzus19v5k.pdf
    • https://cdn-cms.f-static.net/uploads/4368955/normal_6039107057ce6.pdf
    • https://static.s123-cdn-static.com/uploads/4422637/normal_5ff0088293060.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kufuravolej.rf.gd/codycross_under_the_sea_group_25_answers.pdf
    • https://9eaa565e-fb97-40b4-b096-d6760803f699.filesusr.com/ugd/55e2c6_d57c1d8112dd4994935f03b0b4caba4a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/82d1ce6c-2025-4908-ac31-5baf7d6e3a52/veliziwevivoxojatimet.pdf
    • http://werowelunan.epizy.com/python_selenium_chrome_location.pdf
    • https://uploads.strikinglycdn.com/files/1a1be30d-204a-42f0-9311-ddbcea47bfca/rukeribixuked.pdf
    • https://uploads.strikinglycdn.com/files/d1666c0f-cf72-4604-b2df-22942e6df5bd/dark_sun_shattered_lands_cheats.pdf
    • https://uploads.strikinglycdn.com/files/8ed419d6-4e33-4ac0-98e7-8d8a46149ddf/29747509756.pdf
    • https://ce3a146a-d504-4efb-981c-4593fb85d965.filesusr.com/ugd/5b5da7_9086a18111d94832a4d922f70de50da3.pdf?index=true
    • https://c2c662fa-00ac-4c69-bf5d-04da7d6c99e2.filesusr.com/ugd/9b33c5_d005facfedf748f6a0de0dc0af3cf9e7.pdf?index=true
    • https://36ff8601-ed5f-4e49-bf75-113c1495136b.filesusr.com/ugd/3835dd_289689524c84482aa4be95a0c6504dc6.pdf?index=true
    • https://d5f1d3db-1598-48d0-a061-764c190a6564.filesusr.com/ugd/866690_83d634611c5f445fb5ea59bbc057eb5d.pdf?index=true
    • http://bukumetaboxalo.epizy.com/nomemipasezipoke.pdf
    • https://uploads.strikinglycdn.com/files/c998ff53-018f-42d9-b5d4-360595f78be7/sufebov.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6a6.bin
38f0712a2e466c2631f5b9065cdba21377b90fb339d7947ea062f531243a35ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6A6 5380 bytes
font_01_sfnt_off000108cd.bin
1a524b6fca919de3bd186a3d2bc11ecced84051ff5520c21099eae060fa9fd59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108CD 11132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.