Malicious PDF — malware analysis report

Static analysis result for SHA-256 299da631ddbd628d…

MALICIOUS

PDF

86.1 KB Created: 2021-03-31 09:01:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2a7eaf23706374993f398a462476686e SHA-1: 7a3a00fb0fe9c5663b557f12c8ad1b903a132a5a SHA-256: 299da631ddbd628d68bc39c69140d0de4ac241dadf7064c3d75e81e375f01a85
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URL that appears to be a lure, directing users to a site that mimics search results for educational content. This suggests an attempt to trick users into visiting a malicious domain, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=physics+with+health+science+applications+pdf
    • http://ribupisid.22web.org/bematech_mp_4200_th_user_software.pdf
    • http://moshon.space/club_car_precedent_body_panels1r27k.pdf
    • https://cdn-cms.f-static.net/uploads/4418567/normal_600a5104cd4c1.pdf
    • https://cdn-cms.f-static.net/uploads/4421611/normal_5fdc568c00fdd.pdf
    • http://rasprodavaika.ru/madalakejatalor774zh.pdf
    • https://cdn-cms.f-static.net/uploads/4502268/normal_601723d78d3f8.pdf
    • http://usersonlineguardingsettings.site/wakamunucf0j.pdf
    • http://tronreserve.online/barem66gct.pdf
    • https://static.s123-cdn-static.com/uploads/4426697/normal_5fdd7b9b7e9dd.pdf
    • http://jobs-ingenieur.best/j_ai_envie_de_coucher_avec_mon_filsxgssv.pdf
    • https://cdn-cms.f-static.net/uploads/4450151/normal_601af8d2dc177.pdf
    • http://pollsexpert.com/vemisan4jmgi.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/45c633cb-ec0c-4f48-bd05-d57683ccedae/head_3d_model_free_download.pdf
    • https://s3.amazonaws.com/xupimaral/maquina_de_coser_brother_vx_1120_manual.pdf
    • http://forawoxo.epizy.com/pdf_annotation_tool_linux.pdf
    • https://uploads.strikinglycdn.com/files/afe2187f-9158-4294-84f0-ff93b2bf7742/the_story_of_edgar_sawtelle_film.pdf
    • https://s3.amazonaws.com/kewakuko/audience_research.pdf
    • https://uploads.strikinglycdn.com/files/613fb734-fad5-4a1c-a8f1-85f02e6b463c/stihl_leaf_blower_for_sale_near_me.pdf
    • http://rixexoto.rf.gd/potensi_biomassa_di_indonesia.pdf
    • https://uploads.strikinglycdn.com/files/a279314d-b657-4acc-89e2-9bfcacddcdf0/basketball_anime_ahiru_no_sora.pdf
    • http://gesulobanaxa.rf.gd/mexilovezikelonuk.pdf
    • https://s3.amazonaws.com/donarepemi/64233778381.pdf
    • https://uploads.strikinglycdn.com/files/169af849-3054-4408-9367-fa9e9cc17b29/39429370778.pdf
    • https://s3.amazonaws.com/bitajemisajoz/calculus_3_problems_and_solutions.pdf
    • https://s3.amazonaws.com/xubifupi/streetcar_named_desire_summary_scene_1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001084a.bin
64d53b4318ba7dc869bcefe2c6c56431e6e12bcaf96a32242cfa9e17b755ba3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1084A 1528 bytes
font_01_sfnt_off00011012.bin
4f6b6a113c86ab12818e04c953022d6f33f32f2334999f9c0405d46db76285c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11012 5344 bytes
font_02_sfnt_off0001225f.bin
911eb5b1c0c8b7abe4cf99f00f8320f512b5f5841f75a416896097cd530793b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1225F 11200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.