Malicious PDF — malware analysis report

Static analysis result for SHA-256 262d99bcd033e092…

MALICIOUS

PDF

80.1 KB Created: 2021-05-14 22:21:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 986e15809689e570dcf1a65ec68a2b14 SHA-1: dc2d6271e030b45cfcffc3393330eb2df1cabb68 SHA-256: 262d99bcd033e092b6ac45d2534237a0f0ad3538869d88fbf13f1f3e67ba0309
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged this PDF with high confidence. Although no scripts were explicitly extracted, the presence of an external URI and the detection name suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9957

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=the+birds+band+discography
    • https://cdn-cms.f-static.net/uploads/4366995/normal_6012dab5680c1.pdf
    • https://cdn-cms.f-static.net/uploads/4408584/normal_60291b676d057.pdf
    • https://static.s123-cdn-static.com/uploads/4375521/normal_5ff2cabe0aecd.pdf
    • https://cdn-cms.f-static.net/uploads/4457563/normal_606cbeed363e1.pdf
    • https://static.s123-cdn-static.com/uploads/4465277/normal_5fdda14879725.pdf
    • http://xonajolonifimo.22web.org/94732125032.pdf
    • https://static.s123-cdn-static.com/uploads/4482860/normal_5fca25d28b0c3.pdf
    • https://static.s123-cdn-static.com/uploads/4392661/normal_5fe5db7c5cada.pdf
    • http://wisagomojinux.iblogger.org/trimble_controller_tsc2_manual.pdf
    • http://sojafefewozuxub.iblogger.org/vofozuzenedo.pdf
    • https://cdn-cms.f-static.net/uploads/4413469/normal_6021cf637432b.pdf
    • http://jomokanus.22web.org/1863755654.pdf
    • https://cdn-cms.f-static.net/uploads/4373259/normal_600daf18cf6c6.pdf
    • https://cdn-cms.f-static.net/uploads/4393790/normal_5fdab0631a35a.pdf
    • http://guwunewuwujulat.iblogger.org/jitojoveju.pdf
    • http://zipezaronin.iblogger.org/boutonniere_deformity_treatment_splint.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://togugufi.epizy.com/13210491114.pdf
    • https://uploads.strikinglycdn.com/files/3e4c21c2-4cc4-4c7b-9937-f5b76793c13e/amana_microwave_oven_price.pdf
    • http://wuxanewelupeluv.epizy.com/tupofakotapove.pdf
    • http://faripemisale.rf.gd/quran_english_version_apk.pdf
    • https://uploads.strikinglycdn.com/files/d6427127-5544-4316-8bd3-438f3550d0a6/what_is_enthalpy_change_of_reaction.pdf
    • http://vowenop.epizy.com/sincerely_yours_book.pdf
    • https://uploads.strikinglycdn.com/files/fcc33b1f-2cdd-4a86-985a-ad20e57e3efd/sony_str-dh500_receiver.pdf
    • http://fereralud.epizy.com/53721879388.pdf
    • https://uploads.strikinglycdn.com/files/99484814-3614-4fc7-bd6d-d04dbe9ccacf/dialectical_behavior_therapy_patient_handouts.pdf
    • http://wamifuxifopaxu.epizy.com/fedositomufodiruraxir.pdf
    • https://uploads.strikinglycdn.com/files/5e5cc66c-f24b-4364-ad85-82ced1f763de/is_coding_dojo_worth_it.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f94a.bin
04767a81ade27c76167245a90d779cfb8cd29a1134357f2f133dd104ebccab77		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF94A 5496 bytes
font_01_sfnt_off00010bf0.bin
4ec4107b32f027e262e594c427b9026c3046018cdf7ebd5ce853e46affe35589		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BF0 11400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.