Malicious PDF — malware analysis report

Static analysis result for SHA-256 25ac04f9af8b28e9…

MALICIOUS

PDF

80.2 KB Created: 2021-05-20 01:13:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: c7185abaa7ed6bc5d58497f15450306d SHA-1: eca80dd6fab4da860a784205036f7048ad1a04d4 SHA-256: 25ac04f9af8b28e99bd7a2b3ee82f6a71efe98695e6394ef9e14ccd395e0c622
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a suspicious domain, disguised as a PDF to JSON conversion tool. ClamAV and ML classifiers have identified this PDF as malicious, specifically flagging it as a phishing trojan. The presence of an external URI and the overall classification strongly suggest a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=convert+pdf+to+json+api PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4416934/normal_605b6c1098a9e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412775/normal_605d5ff47c89f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4466675/normal_60308474c3001.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470841/normal_602ea888b47a3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4467577/normal_600cc7d9db0a9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4419003/normal_601b9842b7e26.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370275/normal_6035ed56dedc1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380082/normal_60285a0c88b0c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377663/normal_5fe9560069583.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/paxuvagal/colors_tv_apk_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9f683ec2-88b7-44ad-bbba-cc1277492279/51340400565.pdfIn PDF document text
    • https://s3.amazonaws.com/jedadokuti/52273300133.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7d16ed15-32ae-478b-aed7-d0b8b25e32e0/descargar_driver_hp_officejet_pro_8615.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2009ccfe-40ba-4ba4-ad6f-ada1af88497b/the_darkest_minds_book_trailer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3826e020-40da-49be-a875-3541fff7657c/34478491159.pdfIn PDF document text
    • https://s3.amazonaws.com/lepefi/loxetuj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/96219509-83cf-4916-8b9d-e2b41ed1d114/runufel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/09710fa6-8bcf-4caf-be20-54f7d1914a0c/wojabukanixijemimudubaj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/775b6816-a76c-48c3-b221-d741d8915a24/zelaxil.pdfIn PDF document text
    • https://s3.amazonaws.com/xeropizuwe/lasko_pedestal_fan_not_working.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3f65df40-f82a-46e4-83be-50b359440076/vovulekiro.pdfIn PDF document text
    • https://s3.amazonaws.com/wenobagupexekap/hamilton_beach_coffee_maker_model_47950.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7efbcffa-7258-481b-8c18-bae4ceacb667/how_do_i_write_a_letter_of_confirmation_after_probation_period.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd95.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD95 5044 bytes
SHA-256: 1df0fbc96f010080979dc01a05fe47f7f324599e71955a819ae0cd8e322cd7ab
font_01_sfnt_off00010ed5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10ED5 10372 bytes
SHA-256: 9a37e1a0fde3ca9b64609cac2d8bd6ddcbefd7a2c9b1cfd423b0c550fcdd5d89

Open this report in the interactive analyzer, or submit your own file for analysis.