Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f82370a164de2ed…

MALICIOUS

PDF

82.6 KB Created: 2021-01-08 18:22:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 12c0c8f6e989baf746e02916f71afac8 SHA-1: bffa3803cb3deb17383959ae783bbe791d83b41d SHA-256: 1f82370a164de2edefb6918a953698e476861a8dab45aea781f54a34edfa0990
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI that directs the user to a suspicious domain, likely for phishing or malware distribution. ClamAV detection and ML classification strongly indicate malicious intent, classifying it as a phishing trojan. The document body, though heavily obfuscated, appears to be a lure related to airport maps, aligning with a phishing attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/123?utm_term=airports+baja+mexico+map
    • https://cdn.sqhk.co/pajerelo/Xkongdq/pusodozinaz.pdf
    • https://static.s123-cdn-static.com/uploads/4404490/normal_5fec934335c03.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d8392a4b-ca4a-427f-bad4-a632ed5a8dc1/foketetobuxufenesija.pdf
    • https://uploads.strikinglycdn.com/files/24ad81dc-beef-47a3-b484-e39efc76aa04/chicken_noodles_cross_the_road_origin.pdf
    • https://uploads.strikinglycdn.com/files/28ca710a-cc00-4cde-96bb-64547e589a20/lurorosuko.pdf
    • https://s3.amazonaws.com/nazekisigiduz/3951924163.pdf
    • https://uploads.strikinglycdn.com/files/986cf9b9-b358-4796-8910-e7d841515edd/betizo.pdf
    • https://s3.amazonaws.com/labitajaxatufib/torque_wrench_calibration_procedure.pdf
    • https://s3.amazonaws.com/gonima/hotstar_app_for_lg_smart_tv.pdf
    • https://uploads.strikinglycdn.com/files/20644be6-96c0-4077-b420-ee5bb62a257a/the_pixellence_studios_llp.pdf
    • https://s3.amazonaws.com/luxelula/28725637315.pdf
    • https://s3.amazonaws.com/dezajok/zemana_antimalware_free.pdf
    • https://uploads.strikinglycdn.com/files/88845800-9807-4ece-ac63-685f9c7b4620/62347313604.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010298.bin
2ac0a5aec23aa3a9c9328b9cffe39c41c64a726f48915ed170d80c7e0a670c9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10298 5320 bytes
font_01_sfnt_off0001149b.bin
465c8975cec0cb3519a2eeb60cb97960764d63b0ce592d29605e2496c0dd774e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1149B 11928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.