Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e2535cfc54d37e5…

MALICIOUS

PDF

80.4 KB Created: 2021-05-14 19:59:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 87923a16dd50ed1a4c017fadcf9ec5ae SHA-1: 1019607864f8805b73aa4bda8f01aa125344f924 SHA-256: 2e2535cfc54d37e5876a5a6aebada169b08bdc0e93615f26006ecb531f9f8ffb
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to a suspicious domain, likely intended to host a phishing page or download further malware. The document body, though heavily obfuscated, suggests a lure related to crafting or tutorials, consistent with social engineering tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=how+to+make+simple+and+easy+doll+house
    • https://cdn.sqhk.co/jigitovewuk/ihghhhf/tower_of_hero_guide.pdf
    • https://static.s123-cdn-static.com/uploads/4451206/normal_5ff9963e5a76f.pdf
    • https://cdn-cms.f-static.net/uploads/4415962/normal_604fade096dc7.pdf
    • https://cdn.sqhk.co/jikowuzu/gfNhbha/cydia_app_admin.pdf
    • http://risumeboze.getenjoyment.net/kefowejozi.pdf
    • https://static.s123-cdn-static.com/uploads/4490256/normal_5fde03ea5f143.pdf
    • https://cdn-cms.f-static.net/uploads/4384030/normal_6041a9970bd16.pdf
    • https://cdn.sqhk.co/sunomedude/difrwgc/surgical_mask_amazon_prime_uk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/nisoxow/expanding_double_brackets_hard_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/872f6bb9-33f7-4c35-95f8-792c63e78c8d/bazepadebuponuxabefaw.pdf
    • https://uploads.strikinglycdn.com/files/33bf07bd-7436-4273-8466-a0df63acefed/segewizetodikizovesidito.pdf
    • https://uploads.strikinglycdn.com/files/5fdad267-c3c6-42aa-af71-e16b1a719c59/kwikset_909_smartcode_electronic_deadbolt_manual.pdf
    • https://s3.amazonaws.com/ritoma/liwaxin.pdf
    • https://s3.amazonaws.com/penale/bukalapak_apk_untuk_pc.pdf
    • https://uploads.strikinglycdn.com/files/481b5abe-6002-4eb4-89a1-00a94240740f/xomejoxuwaxumezevefufave.pdf
    • https://uploads.strikinglycdn.com/files/3c0fc0b0-3690-46ab-b3a4-bc6cf9a9f853/is_real_estate_flipping_worth_it.pdf
    • https://s3.amazonaws.com/xozeb/transunion_industry_insights_report_q3_2017.pdf
    • https://uploads.strikinglycdn.com/files/156fe692-379c-464b-b1ba-9c34209a8cc1/charles_dickens_a_christmas_carol_italiano.pdf
    • http://wiloradakuno.onlinewebshop.net/logepagirutukuladexotenir.pdf
    • https://uploads.strikinglycdn.com/files/dcc1f1b7-ba6a-468c-bb18-cc0639d9d210/xudefazabamibotepipajog.pdf
    • https://s3.amazonaws.com/tuxutedi/13454521306.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd60.bin
ef4b841f4c056ea370840a8f6d92dd2788d9f358b8fff634640d7b5c4a46b8b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD60 5324 bytes
font_01_sfnt_off00010f6a.bin
3f84ab4ec848fa41faae2b9e0f6e69ea87ee1de85e4ef32a498d2e180ca6fefd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F6A 10576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.