Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f5d1212a9780384…

MALICIOUS

PDF

99.6 KB Created: 2021-03-18 03:34:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f325c53e1d64c45ad3c202cf1939d8f3 SHA-1: b5d7db2b2248ff04decee284579a708a039af389 SHA-256: 2f5d1212a97803847febb270f19aa7409459d867b7e0e099940ce661ff3718ae
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The document body, though partially corrupted, suggests a lure related to a 'temperament questionnaire'. The presence of numerous unknown reputation URLs, including one directly associated with the document's apparent theme, strongly suggests this PDF is designed to redirect users to malicious sites for phishing or malware delivery. No scripts were extracted, but the PDF structure itself likely contains obfuscated JavaScript to perform the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=temperament+questionnaire+pdf
    • http://item-mask.top/45228875400qp3l2.pdf
    • http://boxberry-24.cc/alphabtisation_definitionpd407.pdf
    • http://zomolejefej.mywebcommunity.org/sample_recommendation_letter_for_scholarship.pdf
    • http://betmoy57.com/ap_seminar_tmpvtqxs.pdf
    • https://cdn.sqhk.co/kivipemo/gciihgY/luzelak.pdf
    • https://cdn.sqhk.co/kezixowog/didicre/50631042655.pdf
    • https://cdn.sqhk.co/wajinevisu/isS1hfG/classic_games_100_games_walmart.pdf
    • https://cdn.sqhk.co/baxorurifina/hfCgjhb/kaiser_receptionist_jobs_near_me.pdf
    • http://rezotu.xyz/wiramexevewexvhcaj.pdf
    • http://freehookup.xyz/17791699784r38f3.pdf
    • http://onlinetyz.xyz/life_fitness_stationary_bike_for_saleii2ni.pdf
    • http://winoraama.fun/how_to_create_a_blog_for_dummiespfb7s.pdf
    • https://cdn.sqhk.co/jetirivotu/epij7ha/subway_surfers_unblocked_online.pdf
    • http://korogesubelokut.mypressonline.com/omnisphere_2_library_size.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/bd7ef15d-820c-46bc-95e9-efc7a4654666/samsung_hmx-f800_precio.pdf
    • https://f579be4a-c2ec-451d-94ee-532237c06880.filesusr.com/ugd/9f6a24_5cfc3813a63b4dbf9c8bd3ea9acb3604.pdf?index=true
    • https://c6111751-42b6-464f-a8b1-832d492ff999.filesusr.com/ugd/3d0627_795a20a6ca24441c939eea35e50a8835.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0ab4dd0e-e5c6-46db-9218-bd8c8772f7d9/is_there_a_grace_period_for_drivers_license_renewal_in_ohio.pdf
    • https://uploads.strikinglycdn.com/files/61fb4bbc-b636-4645-9d85-7988d5fec02c/why_does_my_health_o_meter_scale_read_e.pdf
    • https://18cb0a1d-3822-48a5-9ca0-56465202bc9b.filesusr.com/ugd/96564c_b55f87ae1ccd4d89a5e71ea17cce0089.pdf?index=true
    • https://436c154b-1c2d-4c60-9768-ed3a268ef5e1.filesusr.com/ugd/e8e253_d426aaff02224fc8b9a150d1704b0da5.pdf?index=true
    • http://lelikerakovet.atwebpages.com/hindu_calendar_2020_usa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000140c0.bin
84768a7f75c114beab6c43b4586808925862df84b201cf5a35da9ec8840a855f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140C0 5232 bytes
font_01_sfnt_off0001526b.bin
30137450ba376ac8f9d1d7ca3340947e191b44262f86d77436d5580f56755ac3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1526B 14048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.