Malicious PDF — malware analysis report

Static analysis result for SHA-256 1fe4385b0904b9c5…

MALICIOUS

PDF

92.2 KB Created: 2021-04-15 10:52:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4fc7384904acae4df643d373429dd8ae SHA-1: 7d76aa4f48382f1468f459122cbc108cd5078c6e SHA-256: 1fe4385b0904b9c53e22f47b375c341fe2fbdc7b59b7b9a51faf95f2509962e6
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF document was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. Heuristics indicate it employs a social-engineering lure, instructing the user to install a browser extension or update to view content. While no scripts were extracted, the presence of embedded URLs suggests a potential download or redirection to a malicious site. The document's primary purpose appears to be tricking the user into compromising their system.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9926

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=bach+cello+suite+1+in+g+major+sheet+music
    • https://cdn.sqhk.co/towinomer/gfqCjBe/14315936739.pdf
    • http://magnitoli-2ekran.site/45561051154ejbd9.pdf
    • http://pasipodo.mypressonline.com/rufetatudemow.pdf
    • https://cdn.sqhk.co/zasokolof/7ghhgBB/the_mummy_returns_full_movie_download_in_isaimini.pdf
    • http://mativazugu.22web.org/63527378330.pdf
    • https://cdn.sqhk.co/ditetona/jftAfig/79128743907.pdf
    • http://goldenframecollision.com/bobupusowazit7n2s.pdf
    • http://darawesewagu.22web.org/jaxidotuginegox.pdf
    • http://kulinarny.site/julibewisivog1ww60.pdf
    • http://dobilarujokux.sportsontheweb.net/945801114.pdf
    • http://hihikane.space/plantronics_voyager_5200_uc_bluetooth_headset_bundle0pd4x.pdf
    • http://zugasanuko.getenjoyment.net/kutiwanerusorunumasirim.pdf
    • http://xigosilefonaboj.iblogger.org/49189488897.pdf
    • https://cdn.sqhk.co/puxolika/hj5VziJ/fonaponepomasusaribi.pdf
    • https://cdn.sqhk.co/gufemazibafi/hh8RhgQ/71835506446.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://panexorumilogim.myartsonline.com/wavunabajupomuviwimowalag.pdf
    • https://2559d30b-64cd-4b4d-aaad-e76a675dde99.filesusr.com/ugd/f5a024_08487f38bf9a4aa29ccd3061fae9c449.pdf?index=true
    • https://855e1e5b-0daf-4dce-aa73-dfad2bfec5df.filesusr.com/ugd/ced2dc_ac7563851cb04035b7c7de4e9dbcef37.pdf?index=true
    • https://bf23b77b-49a9-4bef-a898-a03cfb94aefa.filesusr.com/ugd/134172_22564f2be68643c18811d8e11cbc72c3.pdf?index=true
    • http://xewuxomepe.epizy.com/talokit.pdf
    • https://17673d3b-e5d0-4e0e-8211-f079fadf35f5.filesusr.com/ugd/13ae68_930ef3a0fe524798963c73cc97f47d4c.pdf?index=true
    • http://sugamane.onlinewebshop.net/minuvewirupufulofajozetux.pdf
    • https://f13dd0f9-fe0a-4257-a88d-d9af1a1cf0e3.filesusr.com/ugd/d954c5_08fde8f98c2c48ef963473f6f8b226da.pdf?index=true
    • http://lajofekozorofa.rf.gd/bujebarokaroluxevetu.pdf
    • https://ecf8b3bd-8201-449f-a39c-156acd88681e.filesusr.com/ugd/97634b_ea51736eca254de9b816286a87fbeb1e.pdf?index=true
    • https://f33eab34-52c4-4f1b-91c9-7c5ec1255b8f.filesusr.com/ugd/9d0374_cd96451a2a994bce85b99822e31079ac.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000103b0.bin
132d7a48d0020467cab4c8bd29b43ef5164473eed8ee8bdb29575b0b3ea33a45		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103B0 5392 bytes
font_01_sfnt_off000115da.bin
6c164b18f97ed4c624959ad5030ad416cefe64713c92376b82bb57bf9c11fda6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x115DA 4624 bytes
font_02_sfnt_off00012279.bin
f02c58b9c251174f96d6acd358631a2f137761f68e46bb50690bb29732168e81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12279 11680 bytes
font_03_sfnt_off00014a95.bin
dfc101554af167572f943d213a968d2e35332cbf9f59a6cc8673b745b75d97c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14A95 16316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.