Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ac7ec20c02b6523…

MALICIOUS

PDF

87.6 KB Created: 2021-03-29 15:53:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b486bf5c1bf7bf4d797fe1ab8a589057 SHA-1: 5088e5f8f89affcd4ea43b2883ef9b34a1bf4f26 SHA-256: 2ac7ec20c02b65239f27f2c82bbdd9925e636328c0ebb08ec63ec04f71d65311
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a phishing or trojan payload. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body is heavily obfuscated, but the presence of external URIs suggests an attempt to download or redirect to a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=solaris+stanislaw+lem+bill+johnston
    • https://cdn-cms.f-static.net/uploads/4370555/normal_604a53458c80a.pdf
    • https://cdn-cms.f-static.net/uploads/4365582/normal_5fe7899d74765.pdf
    • http://tonagruz.ru/kokikap422cz.pdf
    • https://static.s123-cdn-static.com/uploads/4366406/normal_5ffc0ba1e5f8d.pdf
    • http://organic100.fun/does_canon_mf4770n_support_airprintyk60p.pdf
    • http://pexarinolal.mypressonline.com/candide_gratuit.pdf
    • https://static.s123-cdn-static.com/uploads/4424036/normal_5ffcba7ddbc91.pdf
    • https://cdn-cms.f-static.net/uploads/4450419/normal_6040f20133455.pdf
    • https://cdn-cms.f-static.net/uploads/4407994/normal_5fe94349bf9db.pdf
    • https://cdn-cms.f-static.net/uploads/4390385/normal_5fda83e45fe8b.pdf
    • http://laluwaraselolar.mywebcommunity.org/wolffia_arrhiza.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://77abcf6a-1f47-4233-a5f7-28832101be0a.filesusr.com/ugd/e29e5c_9902be88250a445c80c263a5fac29df4.pdf?index=true
    • https://s3.amazonaws.com/tomamujuf/a_que_edad_se_caso_eva_luna_montaner.pdf
    • https://s3.amazonaws.com/doxifuba/varomutozopidem.pdf
    • https://74f55dc1-c9a5-4be3-8cb6-5a41d2e6c5ca.filesusr.com/ugd/bacb18_c2818ad4ccba451bb5a152bde5b49753.pdf?index=true
    • https://cad90261-f038-4e8a-b384-2e0e37e6cb8c.filesusr.com/ugd/4c4e45_e89bfbdacb744071a03a79ae99926c1b.pdf?index=true
    • https://c02a3fa2-970f-4384-b4fa-7a60184a1b73.filesusr.com/ugd/1da3fe_0b556bfa7f1041318066ce88355d8d7b.pdf?index=true
    • http://mekasesajiw.onlinewebshop.net/60484464112.pdf
    • https://s3.amazonaws.com/xubifupi/22573738628.pdf
    • https://75cc4b12-69da-4024-8422-75f9303faa99.filesusr.com/ugd/d6c222_bff77b8c746b4ad98f92627f60004dd0.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010165.bin
e1e683cb7e5262be6621b811943be3583959d7c9dfe1a63e2442bc7f0afe5aa4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10165 5124 bytes
font_01_sfnt_off0001129f.bin
1dbd66f9b31a1a2900859089f12555eb042f1a8d790f40fea25c3e7778aa56d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1129F 15136 bytes
font_02_sfnt_off000140f0.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140F0 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.