Malicious PDF — malware analysis report

Static analysis result for SHA-256 1fee0ae087616be2…

MALICIOUS

PDF

74.3 KB Created: 2021-03-20 00:55:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04154f3995f0199ff809a80235dac485 SHA-1: 299369641ab7e4ca9d0973712cabdb3576dc19ba SHA-256: 1fee0ae087616be2e37388f31421d4a6c0c9fd2c7ed6c5522a06883a7672539d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a URL that appears to be a lure for downloading educational materials, likely a phishing tactic. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were directly extracted, the presence of embedded URIs and the nature of the heuristics suggest this PDF is designed to trick users into downloading further malicious content, potentially via a secondary exploit or phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=punctuation+worksheet+pdf+grade+6
    • http://sdfsdfsdf.shaketorch.com/ritufekoredalibuz.pdf
    • https://cdn.sqhk.co/parapirer/giWohbJ/44361537818.pdf
    • http://xesaverilurum.22web.org/dirt_devil_power_max_pet_ud70167_reviews.pdf
    • https://cdn.sqhk.co/mukibusu/ge6jaVv/zuzujali.pdf
    • http://ruszaimclub.ru/bissell_spot_clean_proheat_pet_leaking_water_from_bottomtb7rb.pdf
    • http://tajevis.22web.org/vetevotigod.pdf
    • https://cdn.sqhk.co/zatejurix/hgjipvm/70546808267.pdf
    • http://de-bewertung-id-q2e5t23.top/apc_back-ups_es_450_manual3xn7e.pdf
    • http://promooffer.site/biwifasufoe0fx.pdf
    • https://cdn.sqhk.co/pumurugo/gia5Ihf/new_breakup_whatsapp_status.pdf
    • http://sellforce.ru/963278665994gu25.pdf
    • https://cdn.sqhk.co/xolovagi/jfggNd1/fox_news_ratings_2020.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zunimesigo.rf.gd/70068184493.pdf
    • http://fuxeperejud.rf.gd/17832843947.pdf
    • http://nivujipa.epizy.com/58911084761.pdf
    • https://8c4778c4-ed17-4cf1-86f9-5448e21c5c15.filesusr.com/ugd/6da380_5bcd27dd99c84c47a3c1f4bf87b7319e.pdf?index=true
    • http://ritipoma.epizy.com/embroidery_digitizing_software_free_full.pdf
    • https://8d275f60-8e36-4e70-8574-b6d542a617c4.filesusr.com/ugd/dbf6c2_8668fd562afb4b6cb75019865682754d.pdf?index=true
    • https://s3.amazonaws.com/xipavir/72107269480.pdf
    • https://s3.amazonaws.com/lemerisinivum/jotil.pdf
    • https://3fb740b9-71d8-4183-8edb-de11b68c0a29.filesusr.com/ugd/1fbf8b_7da5188bfb3648a99eb9d2f1d30f9f24.pdf?index=true
    • http://gebutetivifupa.epizy.com/48441929479.pdf
    • http://jukikusikodopom.epizy.com/zigumazukalilunefetixu.pdf
    • https://s3.amazonaws.com/xalexojaxipud/harrisons_principles_of_internal_medicine_twentieth_edition_vol.1__vol.2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3f2.bin
e00bb6fb3603255cc1b5d4a1a9628da70d32deeb7ff30c11dcbddac5422d350d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3F2 5696 bytes
font_01_sfnt_off0000f76b.bin
3bf1b5586e9918c567fbab7f5b0c343c59db9b02290bc3e067c1c2ce4efd1833		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF76B 10628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.