Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c18c0d17cfc1bb4…

MALICIOUS

PDF

67.0 KB Created: 2021-03-02 23:59:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 23ac424068399dc845db3b3ee68c8a26 SHA-1: 74a3ed82d0ec32ff8a7fad66790a3dc88586cd7b SHA-256: 2c18c0d17cfc1bb440a3dbd94c546a5bcf426388e80daddfe9dcd83f379a328b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that points to a suspicious domain, identified by heuristics as a potential phishing or malware distribution vector. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=butler+gender+trouble+google+books
    • https://cdn.sqhk.co/kugeturo/jgjsfhb/little_heroes_pediatric_dentistry_mcallen_tx.pdf
    • https://static.s123-cdn-static.com/uploads/4377114/normal_5fe1fb8fd5bc7.pdf
    • https://cdn-cms.f-static.net/uploads/4472783/normal_60289bd64161b.pdf
    • https://cdn.sqhk.co/venitalobeni/bidVxWB/formula_racing_2d_android.pdf
    • https://cdn.sqhk.co/sarunasol/chigjhi/57390476172.pdf
    • https://cdn.sqhk.co/nomitusibop/4rnYigg/17990754606.pdf
    • https://cdn.sqhk.co/fidapulano/Pjijehg/tumblr_activity_page_not_working.pdf
    • https://cdn-cms.f-static.net/uploads/4454287/normal_60395c7768298.pdf
    • https://cdn-cms.f-static.net/uploads/4405437/normal_600a6f2988fc5.pdf
    • https://cdn.sqhk.co/vimewiki/cnLjegg/xupifar.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kelageketisefuv/pidokuzuworolapituf.pdf
    • https://s3.amazonaws.com/mubefula/video_trn_web_android.pdf
    • https://s3.amazonaws.com/legipalofi/18754486724.pdf
    • http://zoligagomuwe.onlinewebshop.net/79306789543.pdf
    • https://s3.amazonaws.com/wazorixekunafob/33783497884.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc01.bin
490557d8f99de4c3c6ea9eff7e9a79193966f5f5b104d8ee1c6ac3bcfc4b8cf8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC01 5036 bytes
font_01_sfnt_off0000dd34.bin
9aa6fdbb34d203ebe2e3ca1b2c8b1548741104f9666d85066cb305e82a9f014e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD34 9936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.