Malicious PDF — malware analysis report

Static analysis result for SHA-256 24c1753458c892ac…

MALICIOUS

PDF

84.6 KB Created: 2021-03-16 05:59:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63cbef30bb42af451e6713830d97da71 SHA-1: eaf7579b205afc99b9157adc95de66433ec937b0 SHA-256: 24c1753458c892ac988310cc5da974959cf3f4b6ec632726d2fe28b5e955fea7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, likely intended to trick the user into downloading a malicious file. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing or trojan delivery mechanism. While no scripts were directly extracted, the presence of embedded URLs and the overall detection suggest a phishing lure designed to deliver a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=adobe+photoshop+tutorials+point
    • http://natikolom.site/1_pic_8_words_answers6lbqz.pdf
    • http://natikolom.site/xadagoji7gxra.pdf
    • http://ejqy.com/kgb_archiver_free_for_windows_7ikyk1.pdf
    • http://cyberlife.store/what_is_linear_and_nonlinear_editing14msq.pdf
    • http://myshoes.moscow/why_is_there_a_yellow_heart_next_to_someones_snapchatljba2.pdf
    • http://wordwild-store.com/bolibesomasajev6je.pdf
    • http://rubisteq.online/wipesafojigijijuwuxabop8gay3.pdf
    • http://conicppjry.bid/telupokon17uue.pdf
    • http://drive4mclaneeffingham.com/62363558731l65dq.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://d7ae471b-a447-437d-81b4-4e603f8679d9.filesusr.com/ugd/0a3240_b009c4f10f6744188a1017de39972a85.pdf?index=true
    • https://uploads.strikinglycdn.com/files/87bf0c05-6569-4aee-9fce-1d9518e14693/what_happened_at_the_court_case_of_brown_v._board_of_education_in_1954.pdf
    • https://s3.amazonaws.com/risisipajole/71642257790.pdf
    • https://2a6c20f5-091f-48b5-a5be-bf749919b1f6.filesusr.com/ugd/3794ad_fd48d90ad94842759f973e24567a901e.pdf?index=true
    • https://s3.amazonaws.com/fuwenoxuzasila/fopefemaxisamaxagolu.pdf
    • https://uploads.strikinglycdn.com/files/6bc25813-beb1-4880-b89e-1df2ed49daa5/gokojibexajuvipig.pdf
    • https://caa91486-5fcc-43b7-8b2b-5b817ae85bbe.filesusr.com/ugd/26bbcf_8e89420a604b4311985465e6ce78ee43.pdf?index=true
    • https://e691ad07-92dc-45fa-af10-8929b4045ede.filesusr.com/ugd/87b9a8_3e57f55dbf774439952ebb4a803e24f1.pdf?index=true
    • https://a0d2adcf-75bd-42a9-a42a-c23e1c6e9e1a.filesusr.com/ugd/85c99c_5d15a9755ba2466a819cd3087a32419d.pdf?index=true
    • https://77701ba7-c5ad-4750-ab17-5b03548f7fc0.filesusr.com/ugd/9a242c_e84c7007ad644db9a54c0ac46882c575.pdf?index=true
    • https://uploads.strikinglycdn.com/files/71b9dc4f-6b9a-479c-a955-2c87f03f1bd3/crazy_stupid_love_quotes_for_him.pdf
    • https://df6a9abb-74f3-47e1-b359-fe6d1019da36.filesusr.com/ugd/7921d2_201c9bc60530433a8cb4b683511f8954.pdf?index=true
    • https://uploads.strikinglycdn.com/files/87afccb3-71ba-4db2-b41f-cc0178030c1b/when_did_we_enter_ww2.pdf
    • https://s3.amazonaws.com/silubebebefuju/acid_base_food_chart.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010d1d.bin
9aedc8f86a8ae34f369581f825c557b68a5cafb20a5c0d37edac99442a1e3ed9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D1D 5176 bytes
font_01_sfnt_off00011ea9.bin
5551ebf978b3161f677a901c44bceb626a09eecd5c147df3b650df650cbe6aa3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11EA9 11152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.