Malicious PDF — malware analysis report

Static analysis result for SHA-256 3686de9f0ceff5d2…

MALICIOUS

PDF

73.2 KB Created: 2021-06-06 08:58:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 85634471b335be520d65926b406c3bfb SHA-1: 01968d7a313fcdb7bde33e2d4c3ae8f094cc5356 SHA-256: 3686de9f0ceff5d2f55c8f71f0f7f37627b6d89d134c8a3d727b3f32f72e259b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified by ClamAV as a phishing trojan. The document body, though heavily obfuscated, appears to contain text related to unit conversion, likely a lure to encourage clicking the malicious link. No scripts were extracted, but the presence of the external URI and the ClamAV detection strongly suggest a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://medvor.ru/pbw?utm_term=cuantos+milimetros+tiene+un+kilometro+cuadrado
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dekokos.pbworks.com/w/file/fetch/144418626/zuxupurisinilibalumese.pdf
    • https://uploads.strikinglycdn.com/files/b3ec7b3e-21ee-4de1-a42f-31c9d4d0c623/foreign_words_in_english_language_list.pdf
    • http://xovakovawup.pbworks.com/w/file/fetch/144521541/solikubuzajobixuga.pdf
    • https://uploads.strikinglycdn.com/files/79b3a13a-6a85-4741-b136-1e307bf3457f/watch_american_gods_season_1_episode_2.pdf
    • http://lijegazoz.pbworks.com/f/windows_10_64_bit_download_mega.pdf
    • http://fosirodovo.pbworks.com/w/file/fetch/144461904/70827335351.pdf
    • https://uploads.strikinglycdn.com/files/c83facae-d223-4543-9a7d-62815da992b3/nuwaronupafuzaxewasonatu.pdf
    • http://gosirata.pbworks.com/f/tableau_de_rpartition_des_charges_indirectes_exercices_corrigs.pdf
    • https://uploads.strikinglycdn.com/files/34dfbb8e-cfcd-47e6-bbfb-0178863a73a9/microsoft_wireless_mobile_mouse_5000_not_working.pdf
    • https://uploads.strikinglycdn.com/files/aa629996-c641-46f9-af0e-0831c6ef302f/what_is_democratic_style_of_leadership.pdf
    • https://uploads.strikinglycdn.com/files/511a482f-b5d7-44a7-81eb-536c2a82b540/whats_the_point_of_a_worm_in_tequila.pdf
    • http://fokopaviwu.pbworks.com/f/joined_up_writing_practice_uk.pdf
    • https://uploads.strikinglycdn.com/files/dc2e5329-ed47-4ff1-b8c8-9f637b0ffc5f/defixek.pdf
    • http://nowefuro.pbworks.com/f/does_spotify_work_on_chromebook.pdf
    • https://uploads.strikinglycdn.com/files/4b23e47e-eb23-4a65-b633-596a3e73ff83/can_i_share_someones_instagram_post_on_facebook.pdf
    • https://uploads.strikinglycdn.com/files/20cc152c-96a5-4cff-8077-219366fc8c77/63453155765.pdf
    • https://uploads.strikinglycdn.com/files/b403d05d-8be4-4306-b71a-dc157e2f3350/sketchup_free_tutorials_2019.pdf
    • https://uploads.strikinglycdn.com/files/679120f4-5e3c-40cc-b015-a219d029b71d/infinix_note_2_price_in_ghana.pdf
    • http://pudomasepok.pbworks.com/w/file/fetch/144701121/maths_worksheets_for_kindergarten.pdf
    • http://bukafag.pbworks.com/f/thomas_calculus_14th_edition_solution_chapter_3.pdf
    • https://uploads.strikinglycdn.com/files/3781fc3e-49c2-4389-8c9e-8483c89edc67/panasonic_lumix_fz2000_zoom_test.pdf
    • https://uploads.strikinglycdn.com/files/875f0dd6-b793-45eb-904d-54b257bede6a/asce_37-02_free_download.pdf
    • http://mapijakemifo.pbworks.com/w/file/fetch/144467526/how_to_restore_mxq_box_to_factory_settings.pdf
    • https://uploads.strikinglycdn.com/files/64de5c7d-f993-40aa-8376-7b0e322675d2/htc_one_m8_vs_m9_vs_m10.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ddd4.bin
e971dcfd0fc70e77a644df5af404bd098919fc00b5d4caf020c6f991e4c02be9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDD4 5052 bytes
font_01_sfnt_off0000eee6.bin
057648442fbf6a831375b67024830cb6896a3180aa254f31753ca124026f3a3a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEEE6 11720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.