Malicious PDF — malware analysis report

Static analysis result for SHA-256 251747e77f4de9e8…

MALICIOUS

PDF

85.3 KB Created: 2021-04-01 13:19:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 26e3f8fc3b10e208125e38c49fa76bbd SHA-1: 2e2ddc1b416ced8ef853e7e59a68f6bfcb49b0bf SHA-256: 251747e77f4de9e86c02175d655554469a62913a4062aa8756cda5d749e4e79b
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded JavaScript and a high-confidence ML classifier flagged it as malicious. The document body, though heavily obfuscated, suggests a lure related to 'mental ability test questions'. The primary external URI points to a suspicious domain, likely serving as a phishing or malware distribution point. The embedded JavaScript is the most probable vector for executing malicious actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=mental+ability+test+questions+with+answers+pdf+for+class+5
    • http://pitukegurajokup.22web.org/bessacarr_e495_owners_manual.pdf
    • https://cdn.sqhk.co/xewafazuk/giawndS/wepakofelozezogifutizir.pdf
    • https://cdn.sqhk.co/lolajelor/BOrhj2m/pocket_league_story.pdf
    • http://manenumo.iblogger.org/kenmore_elite_washer_clean_light_flashing.pdf
    • http://zagesevava.iblogger.org/vineland-ii_adaptive_behavior_scales_survey_forms_manual.pdf
    • https://cdn.sqhk.co/zarifabidit/3NfmMiS/glass_eye_pipe_that_changes_color.pdf
    • https://cdn.sqhk.co/veletafi/jhaijoP/ocean_overlord_promo_code.pdf
    • http://sabeladiwuz.22web.org/83047582620.pdf
    • https://cdn.sqhk.co/xodokopav/Olg8ohi/cakewalk_sonar_x3_manual.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://nokenamepewu.epizy.com/panufenidodogadilenigox.pdf
    • https://044e8d80-c429-4a1f-820d-9b443c65b389.filesusr.com/ugd/53c654_022a9de3ce8d471f889e854ddbdd639e.pdf?index=true
    • http://fepufikegag.rf.gd/generative_adversarial_networks_cookbook_free.pdf
    • https://uploads.strikinglycdn.com/files/fc062c28-5f47-4927-b3ec-85cdb4128713/gregson_tuba_concerto.pdf
    • https://c4bedd8b-a3e9-4aa8-9751-a6fde4035b7e.filesusr.com/ugd/037f08_a1fb4f1e2c7840aba5c11d553de15e82.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dbb87015-195d-4a9e-b951-79de9af0fc61/what_happened_at_the_end_of_the_world_war_2.pdf
    • https://uploads.strikinglycdn.com/files/9fe7928a-ee3c-4e72-bf43-42736ec4d673/39073849356.pdf
    • https://uploads.strikinglycdn.com/files/4d6bd904-8382-467a-82b4-d0eae1bfbf85/structures_or_why_things_dont_fall_down_drive.pdf
    • https://74269c25-1731-4359-90d4-804f54ef9c1c.filesusr.com/ugd/b5973a_283667b1edba4b719961d9e357f5e239.pdf?index=true
    • http://midofel.rf.gd/logudag.pdf
    • https://uploads.strikinglycdn.com/files/9dddfff0-8e3a-413d-9f2d-ed222ac1fee9/sikudukeboxumenafa.pdf
    • http://munebefeg.rf.gd/zajabojuniretijukuze.pdf
    • https://f1801c53-b3f5-4b94-a9b3-4bb8eb376a66.filesusr.com/ugd/af633f_1850ba2c4796461a979ba897961d5920.pdf?index=true
    • http://deburukibovip.rf.gd/balloon_game_app.pdf
    • https://uploads.strikinglycdn.com/files/14f5ff15-53c9-4132-b309-ce9338acd9c8/cepher_bible_review.pdf
    • https://a7193630-a032-4ee2-b136-33837135b76a.filesusr.com/ugd/fac845_e00368749c9a4ea58bfdcbe746e6b306.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb56.bin
f93070ed9abdcc6f0ee97bd42170181a782385e50fac931b4629c70271bd5164		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB56 5712 bytes
font_01_sfnt_off0000fecf.bin
54706e21f8436e42aac16ebabc03e679487e4f70775bdd914036c2505445ed44		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFECF 10748 bytes
font_02_sfnt_off000123d2.bin
8a143fce8045042a65bf9ce8fa459eb90743d9261428ffbc947f53fb90ba1dc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123D2 16100 bytes
font_03_sfnt_off000138a8.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x138A8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.