Malicious PDF — malware analysis report

Static analysis result for SHA-256 26d36e35444c1183…

MALICIOUS

PDF

72.5 KB Created: 2021-03-22 01:07:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d9b81f571913bef759f05b699fd13bf0 SHA-1: 26c4791e57bcfaaf8b39599f85e817638da6ddda SHA-256: 26d36e35444c11834024214fdfb6d0f628c3fcddbe60f0fa48a07cd78ec798d4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was identified as malicious by a machine learning classifier and ClamAV, which flagged it as 'Pdf.Phishing.Trojan'. The embedded URL and the document body suggest a phishing lure related to software cracking. Although no scripts were explicitly extracted, the PDF structure and the nature of the detected threat indicate potential for malicious JavaScript execution to facilitate the download of a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=wps+pdf+to+word+converter+with+crack
    • https://cdn.sqhk.co/rapavuse/jg1ibji/swot_methode_d_analyse.pdf
    • https://cdn.sqhk.co/babonisu/w8xDidS/guess_the_telugu_movie_names_with_english_words.pdf
    • https://cdn.sqhk.co/luvunugoz/hdohahc/long_natural_nails_with_gel.pdf
    • https://cdn.sqhk.co/nulusezitelo/iL8QiOL/juegos_de_pac_xon_y8.pdf
    • https://static.s123-cdn-static.com/uploads/4366366/normal_5ff8ddc6826bf.pdf
    • https://cdn.sqhk.co/kufalavoxig/6zIjchb/67420822245.pdf
    • https://static.s123-cdn-static.com/uploads/4391925/normal_5fd03ea970c59.pdf
    • http://indir-kazan.com/metabolismo_bacterianol5bvf.pdf
    • http://instas.site/13020618798ftvrd.pdf
    • http://tameenegypt.com/sanuzoloxomewetobelifemazqo276.pdf
    • https://static.s123-cdn-static.com/uploads/4369343/normal_5fc94a981e73a.pdf
    • http://zhenskiizhurnal.ru/1180680958homxe.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0b16ddab-a173-4b31-bef9-a5b95d24860c/p90x_workout_routine_schedule.pdf
    • https://uploads.strikinglycdn.com/files/0206e7eb-2f6a-4c98-83f8-492d0be132f8/5920575425.pdf
    • https://uploads.strikinglycdn.com/files/f5522971-63f9-41ec-88d0-06dc9afba06d/winalepetubim.pdf
    • https://uploads.strikinglycdn.com/files/6d0034ea-315a-46f9-82e4-313a9a891fd1/13668633928.pdf
    • https://s3.amazonaws.com/xujitezu/gekajamisagu.pdf
    • https://uploads.strikinglycdn.com/files/9acc2403-2cab-4845-8130-608ee2efc720/how_old_is_netgear_n600.pdf
    • https://uploads.strikinglycdn.com/files/ed3c71ef-8241-4aa4-905f-f8a8080cea25/86589850710.pdf
    • https://s3.amazonaws.com/vonuxagupeduze/46457375759.pdf
    • https://uploads.strikinglycdn.com/files/7fb6f2e5-b9bf-46e7-87bf-5e38fb3c455a/pexefenorad.pdf
    • https://s3.amazonaws.com/remuv/antenna_tv_guide_dfw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd79.bin
020192e5484b9683b8f1f2a4bcd09d95702ec5c3d9f612c447797acea30a7690		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD79 5440 bytes
font_01_sfnt_off0000f012.bin
1bacc061c49e80a6963eac07f1e60df99c80f38a3a684679bcdbae5cd33091b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF012 10664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.