Malicious PDF — malware analysis report

Static analysis result for SHA-256 21b29e55a1ee291f…

MALICIOUS

PDF

79.9 KB Created: 2021-03-31 22:00:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 264f1b420aea3b6faabb9a8980480d83 SHA-1: 1036a1cf548f24e969c5856f8558d714ab2e5983 SHA-256: 21b29e55a1ee291fd261f771fc6469d935524dc0cf81bb3b220b11db3b358b84
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to trick the user into downloading a secondary payload or visiting a phishing page. No scripts were extracted, but the presence of an external URI and the ML/ClamAV detections strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=fiction+story+elements+pdf
    • http://sitebomobegux.sportsontheweb.net/jegifefizuzagevefuririsum.pdf
    • http://site-shop.xyz/34866279741l7tez.pdf
    • http://jisotevujemi.22web.org/sebibazowovafukusazivik.pdf
    • http://citimart.online/kilipuremimujidamii0c3t.pdf
    • https://cdn.sqhk.co/botonerepap/gh6MVGd/vemalemabezubinaditirirom.pdf
    • http://table-wait.com/31302968803y2zhi.pdf
    • https://cdn.sqhk.co/dudexobexine/gjbgggh/74498336487.pdf
    • https://cdn.sqhk.co/ketalidukepi/0pjgftc/download_voice_recorder_for_pc_windows_10.pdf
    • http://tebogekememesij.mygamesonline.org/24635867047.pdf
    • http://wewofif.scienceontheweb.net/bacteria_bordetella_pertussis.pdf
    • https://cdn.sqhk.co/firokizita/cbvhigj/degegogiruzuxurava.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://josuxak.atwebpages.com/17522451991.pdf
    • https://bdee3e82-1fe6-4084-b289-f15f5249f83e.filesusr.com/ugd/749937_f420ebcef56946ea90dda7d19cb26c6b.pdf?index=true
    • http://tawexega.epizy.com/60069393140.pdf
    • https://1ac5d900-0c69-4f12-8b1d-4e209472b8d2.filesusr.com/ugd/828753_eae4077f224a4aa69fb2df943740cb0d.pdf?index=true
    • https://6184de0c-c318-42a7-882e-c5ddc63b817d.filesusr.com/ugd/1c8c1e_5c8efbbc0bf9480e8d24cb53f3ed3cb4.pdf?index=true
    • http://tevesuxaxil.rf.gd/xasopirilumoxelowamaw.pdf
    • https://95049c82-e412-4913-a0b0-e03e83d5170a.filesusr.com/ugd/127d6e_b6e6780156e644c3b4330205be70e5e6.pdf?index=true
    • https://a98f38e8-5810-4fc9-be6a-c3d78c7c4f9f.filesusr.com/ugd/921909_0e922c827ae44cd5919fb93a1eaee945.pdf?index=true
    • http://pebulibupa.rf.gd/6th_grade_math_worksheets_multiplying_fractions.pdf
    • https://86f5e18a-8766-4ae7-b9bf-31430b627380.filesusr.com/ugd/911c12_914749dc6ee344779d18d76486f67884.pdf?index=true
    • https://c751e6e8-0850-424d-b14e-d7ae46260796.filesusr.com/ugd/bc1028_9de91a037a9740c0b676592e28312a9e.pdf?index=true
    • http://dowafirowelumex.atwebpages.com/66585944881.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd6e.bin
5a1d9ead5ba75c4f5506252f6f6a82e861b22c9edca82d1687fe4abd9a4bd095		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD6E 5148 bytes
font_01_sfnt_off00010eec.bin
514f466ecc5863626bae304f2d6247063e4aeea0bec887963d54493492d458b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EEC 10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.