Malicious PDF — malware analysis report

Static analysis result for SHA-256 3651df3b5c83eb76…

MALICIOUS

PDF

153.2 KB Created: 2020-11-24 03:15:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0765c277d358be177401b8f09fd92d5a SHA-1: 7a5c5a2a9216ce158763048376a612fb6646f4ed SHA-256: 3651df3b5c83eb766725daf553ee0b6a3a068945839d75b2c66b6feb8f254c74
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that redirects to a suspicious domain, likely for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest it's designed to exploit vulnerabilities or trick users into visiting malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9675

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/strik?utm_term=rising+of+the+shield+hero+naofumi
    • https://falibapop.weebly.com/uploads/1/3/3/9/133997194/9399127.pdf
    • https://cdn-cms.f-static.net/uploads/4374978/normal_5f9c17a0d9e0f.pdf
    • https://vunixumo.weebly.com/uploads/1/3/1/4/131453253/3ac78b13b13.pdf
    • https://polabufasol.weebly.com/uploads/1/3/2/8/132814050/9376040.pdf
    • https://cdn-cms.f-static.net/uploads/4388825/normal_5fb301aa1a7ea.pdf
    • https://cdn-cms.f-static.net/uploads/4487184/normal_5fa9d5c663619.pdf
    • https://cdn-cms.f-static.net/uploads/4369930/normal_5f95a0bccd136.pdf
    • https://duxepanakotijek.weebly.com/uploads/1/3/4/3/134340233/5658993.pdf
    • https://boxolajabamofi.weebly.com/uploads/1/3/4/3/134356625/pukemunojufugo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/rujimidujek/pubg_modded_apk.pdf
    • https://s3.amazonaws.com/tagorarib/gijomulejasutujuwamidixep.pdf
    • https://s3.amazonaws.com/rexogeguxosix/38621623425.pdf
    • https://s3.amazonaws.com/bugutaj/receiver_of_many_rachel_alexander_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/lgpl.htmlRegularDanhHong
    • http://www.geocities.com/dnhhng
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001add8.bin
40fe347f1afa1271ad77838456d8f47c950f59932e4ec6d4514ae3a295c0be4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1ADD8 7152 bytes
font_01_sfnt_off0001c001.bin
ae4f83a5e11e74e6538609cc883389fe422c8c2240d1ca2ed10e788a6c2640d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C001 6376 bytes
font_02_sfnt_off0001d602.bin
8a6a3c526ef16c847e8d9d87333b5a7bdb44b440692a08ebed15f9c99512f8d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D602 5328 bytes
font_03_sfnt_off0001e7f2.bin
265469cf1409f4c9e65592148b8b6338ad5a0769bfb3f9b27bffd48b018761b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E7F2 3960 bytes
font_04_sfnt_off0001f3c1.bin
bb4e43c319e4723ea09225d0f500699c8fd086d26048bd95e92cdeb0fd08b804		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F3C1 1744 bytes
font_05_sfnt_off0001fc78.bin
4680b02a4aac39dbd87b1f136ff2625c40ea002fd3239dd26a2100981b6e3ddf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FC78 13812 bytes
font_06_sfnt_off00022a7d.bin
5bf375478ac8905e9aa7d4bdd4dbfbe2f00b85e800e842720fd5044afa522121		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22A7D 17188 bytes
font_07_sfnt_off000243e2.bin
a76d32ddc32ee6b1cfb794dd2175b98c9ef9a65d2c00e022ba0faa65680fe458		 pdf-font-stream PDF embedded font (sfnt) at offset 0x243E2 6048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.