Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d8f5e3eb3a24981…

MALICIOUS

PDF

81.7 KB Created: 2021-03-17 12:56:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 54f454bbd08f9b1bfe5a455dd0308b53 SHA-1: d951e215d77cb2d4396c8968d7f0dc38246381d8 SHA-256: 2d8f5e3eb3a24981e012eace7199655888547294020982360df90729ad299167
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as Pdf.Phishing.Trojan. The embedded URL 'https://jacksth.ru/wix?keyword=nostalgia+pro+apk+download' suggests a phishing or social engineering lure, likely attempting to trick users into downloading malware disguised as an application. No scripts were extracted from this sample, but the presence of external URIs and the overall detection score indicate a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=nostalgia+pro+apk+download
    • https://cdn.sqhk.co/tavikalamo/dha33ha/mafia_city_h5_bot.pdf
    • https://cdn-cms.f-static.net/uploads/4485014/normal_6037ca6062939.pdf
    • https://cdn.sqhk.co/sedazozesufu/9mggLOF/rhody_run_port_townsend_2019.pdf
    • https://dijamolilum.weebly.com/uploads/1/3/5/3/135347404/sebodiwagep_zikepezolebaja.pdf
    • https://nililuwuta.weebly.com/uploads/1/3/0/7/130775375/fekezuzile_wonixumoto.pdf
    • https://zutomoxevef.weebly.com/uploads/1/3/4/8/134879965/d5c5bb5.pdf
    • https://cdn-cms.f-static.net/uploads/4452594/normal_6026f3593192a.pdf
    • http://fibiver.mygamesonline.org/what_are_the_different_aspects_of_film_formats.pdf
    • https://static.s123-cdn-static.com/uploads/4384316/normal_5ffb8d5e829f9.pdf
    • https://ronurakegilapoz.weebly.com/uploads/1/3/4/8/134852428/tigijodamawavu.pdf
    • https://static.s123-cdn-static.com/uploads/4451019/normal_5fcdef43847cf.pdf
    • https://xigunokitipir.weebly.com/uploads/1/3/4/6/134615451/balumuzerudaliwixor.pdf
    • https://cdn.sqhk.co/fisoxinizo/igDZVfp/dudumalotede.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/gupawupigawono/tijujofilebowa.pdf
    • http://nuwadolonopip.onlinewebshop.net/sinatalutiwakexotufiv.pdf
    • https://uploads.strikinglycdn.com/files/61cf71ca-40b0-4892-9f63-9fe232b31083/budetuwokizisa.pdf
    • https://uploads.strikinglycdn.com/files/1776e446-c0c6-4624-8222-8956c30c85f6/7406698113.pdf
    • https://s3.amazonaws.com/wegemebufojafak/19925155916.pdf
    • http://fotizojorirepel.onlinewebshop.net/dr_mgr_university_b._pharm_syllabus.pdf
    • https://s3.amazonaws.com/fukepez/scott_pilgrim_vs_the_world_game_pc_controller_support.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eae5.bin
e9d919a8c53e0295df36bb7a582297c8400e0923b6cfe46fde71ae271a176b61		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAE5 5252 bytes
font_01_sfnt_off0000fce9.bin
17cb18fde34fff8e31aaafce837c0cd60047c533e1273dab0c75084a23225128		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCE9 11024 bytes
font_02_sfnt_off000122cd.bin
ba772b25a8c7bde65ad662a68d66128ebebca0ee32b1765166e0fa66d0add889		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122CD 16080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.