Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c29d260360eb048…

MALICIOUS

PDF

88.5 KB Created: 2021-03-24 08:03:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 11f5439b97dea4171b85e6043d8b7805 SHA-1: 398690d59d37e172e3544e303303028a1cf6ddc2 SHA-256: 2c29d260360eb04842d3ca041481a90f3d9153b8c451a239c525729233ffadfc
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL, identified as a potential phishing lure. The heuristic 'SE_INVOICE_LURE' suggests the document's content is designed to mimic an invoice or payment request, further supporting a phishing attack pattern. While no scripts were explicitly extracted, the presence of an external URI and the ML classification indicate malicious intent, likely to redirect the user to a malicious site for credential harvesting or further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9955

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=cash+flow+direct+method+format+pdf
    • https://cdn-cms.f-static.net/uploads/4465263/normal_6042c67ebe01a.pdf
    • https://cdn-cms.f-static.net/uploads/4418746/normal_6053a7e52ed51.pdf
    • https://cdn.sqhk.co/wixefulurifu/kROifjc/maserati_quattroporte_2007_problems.pdf
    • https://cdn.sqhk.co/kitujesijak/ssigEie/79175698185.pdf
    • https://cdn-cms.f-static.net/uploads/4502248/normal_6012d010a68c9.pdf
    • http://hushseo.online/1st_grade_vocabulary_words_worksheetsms3m0.pdf
    • http://nakanilo.club/not_sharpened_synonym04vtn.pdf
    • https://cdn.sqhk.co/pamezuravuno/dBNtiaK/17278851923.pdf
    • http://hamsterbig.com/two_way_anova_in_excel_2013sx08s.pdf
    • https://cdn-cms.f-static.net/uploads/4403543/normal_603169509fe65.pdf
    • https://cdn-cms.f-static.net/uploads/4498883/normal_5fe6a18fba925.pdf
    • http://casbah2point0.com/1010_block_puzzle_game2bpwo.pdf
    • https://cdn.sqhk.co/juzivadareka/Ojj7Agg/roblox_ipo_target_price.pdf
    • https://cdn.sqhk.co/fipufose/diecnNb/iphone_keyboard_control_keyboard.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/5a4ee19d-9acd-4877-948d-43fb819d14b8/who_is_the_master_of_the_universe.pdf
    • http://fevoreselo.epizy.com/gonowujuwiwijiw.pdf
    • https://s3.amazonaws.com/jevedijadiki/idling_to_rule_the_gods_might_guide.pdf
    • https://uploads.strikinglycdn.com/files/bd58d585-d337-4e7c-ac9b-7f7f0bd668d8/viboseboxivipisik.pdf
    • https://uploads.strikinglycdn.com/files/7a224e7b-3e84-4f2f-a900-5ad645feb771/best_international_law_schools_europe.pdf
    • https://uploads.strikinglycdn.com/files/f8de503e-acc6-404b-b3c9-f170484ead2b/vanorusomujenomexatol.pdf
    • https://s3.amazonaws.com/kuxuxemu/bluedio_f2_manual.pdf
    • https://uploads.strikinglycdn.com/files/f29f2f84-9b3e-4bfc-b89e-45f30dfdb896/craftsman_garage_door_setup.pdf
    • http://povusesa.rf.gd/10426216415.pdf
    • https://s3.amazonaws.com/ruzumeb/fubibunopunolinulonulufim.pdf
    • https://s3.amazonaws.com/fonazuzixagizir/what_is_the_plot_of_the_nutcracker_ballet.pdf
    • http://kezasifofajimo.rf.gd/kutige.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010f2e.bin
bbe8574674a11aa78f023ff0adf907da36e2c4566587d85077b8ff961acb0519		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F2E 5192 bytes
font_01_sfnt_off000120ef.bin
15cb8f220ef9bf802ab7ed1d6fba7070dbdbc38fe17de8872ad66f0b66a3a904		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120EF 10900 bytes
font_02_sfnt_off00014635.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14635 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.