Malicious PDF — malware analysis report

Static analysis result for SHA-256 31ca2d19231a7f59…

MALICIOUS

PDF

72.8 KB Created: 2021-03-10 08:41:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-10
MD5: 9eafeb17273fa24234b00d4e838aea4e SHA-1: cace8115390620417a0993f80297c78446209e6d SHA-256: 31ca2d19231a7f59a1dc5cce6bfd47aa76aee5db05480710ae25a53fe1d93ee3
136 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/wix?keyword=explore+learning+cell+division+gizmo+answer+key PDF link annotation
    • https://cdn.sqhk.co/woselukafo/ifJeegj/pottery_throwing_lessons_near_me.pdfIn PDF document text
    • https://cdn.sqhk.co/ragejeli/IbgcWji/rumble_on_the_river_2020_wrestling.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4471514/normal_5fe769cadf52c.pdfIn PDF document text
    • https://cdn.sqhk.co/musutalivun/Ihfkwje/survival_island_2_game.pdfIn PDF document text
    • http://lafilubepojev.scienceontheweb.net/timex_watch_battery_replacement_instructions.pdfIn PDF document text
    • https://cdn.sqhk.co/gutifusuf/gN0DWgj/minecraft_zombie_apocalypse_mod_1._7_10_forge.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4424981/normal_5fc7af44776a7.pdfIn PDF document text
    • https://cdn.sqhk.co/lotazoza/ihgjhRc/31447247703.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d8b0583f-fbac-430d-b94a-4c34299af8b4/pikivonowatuj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/89860536-1605-45c9-8f0d-347d0aed32b8/macbeth_act_2_scene_3_and_4_questions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aaa3ccbc-607f-47af-82a8-ca9556c68a69/here_i_am_again_dear_lord_song_lyrics.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7735d87e-6a72-4543-834a-d22727f6f39d/can_microsoft_office_be_installed_on_ipad_pro.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1664141c-a415-46a6-9093-7541734ebb57/83128025308.pdfIn PDF document text
    • https://s3.amazonaws.com/fifomi/scarcity_and_factors_of_production_worksheet_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/xisefowu/hey_brother_english_song_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/203debd7-d3b7-4c34-af78-67f3eccc9c1b/sotib.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ebce0918-e509-42af-8c57-32bc966515e0/47823593630.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4714e7aa-b7e6-4123-b593-da95a24bdd70/mevuxodasutudodebom.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/528dce01-9722-4cc8-9e8b-c90a27681449/what_are_static_dynamic_flat_and_round_characters.pdfIn PDF document text
    • http://rodedewezijore.atwebpages.com/lisinidodizobuzuxexip.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ddcf69f9-9105-42ea-80f8-2272ef346963/8633941911.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd8c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDD8C 5784 bytes
SHA-256: 51146f0387b53c9c53df855348bd060070a96d0e0fc8f33ee0096fd1cd7cb925
font_01_sfnt_off0000f152.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF152 10520 bytes
SHA-256: ed0967e6150816e24ed18016311d97a2133750a4e3a9ea10c995e8ba7d3db2ff

Open this report in the interactive analyzer, or submit your own file for analysis.