Malicious PDF — malware analysis report

Static analysis result for SHA-256 30822558cab7aff1…

MALICIOUS

PDF

90.3 KB Created: 2021-03-27 09:55:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6caae5a597ae974e7a60a9d7407cfbdd SHA-1: aa5f84e924d0b067f7350ef09be30aff4ba4b4c3 SHA-256: 30822558cab7aff1e742463cd665051d708ab0ade1d59312bf965db755491423
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs suggests the document is designed to redirect users to external malicious sites, likely for phishing or malware distribution. The document body, though obfuscated, contains references to software and file names, reinforcing the lure of a legitimate download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=bxactions+pro+apk+5.+22
    • http://gakawisogafuga.mygamesonline.org/how_to_edit_music_on_garageband_iphone.pdf
    • http://pumba-timon.space/aditi_singh_sharma_live_performanced4cr7.pdf
    • http://smcjd.com/maschine_mikro_mk3_manuale_italiano8sdgn.pdf
    • https://cdn.sqhk.co/bubiwalifeda/ghcZokK/battlenet_slow_black_ops_4.pdf
    • http://bbflowers.net/65214770544vyu2f.pdf
    • https://cdn.sqhk.co/zubuwebofe/jjhhGhj/10187771843.pdf
    • https://cdn-cms.f-static.net/uploads/4376362/normal_6035440bab812.pdf
    • https://cdn.sqhk.co/fekigimuzib/6ijXlGL/99298618780.pdf
    • http://joy-todays.online/walgreens_blood_pressure_monitor_symbolsioxdm.pdf
    • https://cdn.sqhk.co/sogunixe/fhjeSRT/dave_dangerous_download.pdf
    • http://wozekozexufoxol.scienceontheweb.net/how_many_dunkin_donuts_in_boston.pdf
    • http://jesibijifinuz.mywebcommunity.org/56991643174.pdf
    • https://cdn.sqhk.co/xumirikebixo/hzXijf8/xorasa.pdf
    • https://cdn-cms.f-static.net/uploads/4367944/normal_604e690786359.pdf
    • https://cdn.sqhk.co/fajoliteve/qKgjdql/jopewotoxuwivufoku.pdf
    • http://spiritstudio.ru/kujutedewadiwerewdcu22.pdf
    • https://cdn.sqhk.co/zosiwikiw/idBTjcd/miranda_kerr_net_worth_2018.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://tonavisuma.onlinewebshop.net/foxpro_wildfire_sounds_list.pdf
    • http://pigozezidum.rf.gd/landscape_bond_form.pdf
    • http://pigozezidum.rf.gd/naruto_anime_ultimate_modpack.pdf
    • http://kogogugo.rf.gd/simple_future_tense_worksheets_for_grade_3.pdf
    • http://luderaguzafa.epizy.com/zedakeroseluzu.pdf
    • http://bogalibamadom.myartsonline.com/dumifivazawog.pdf
    • http://zukolokemegizut.rf.gd/alcestis_obra.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eafd.bin
461a8da1b8d0a38f74dd32e8e10cfe71dd3a41b3543f08569daed333e1b9fea8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAFD 18588 bytes
font_01_sfnt_off000122aa.bin
bc6378ef9d5c13914f2f23bb60055987a3a2f49485d8bf07af202bcb7a85b367		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122AA 5364 bytes
font_02_sfnt_off0001350d.bin
c337f47b9bbb77f9bc07f9cb202b4299759188bf8323c734e8d18652bef55eea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1350D 11060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.