Malicious PDF — malware analysis report

Static analysis result for SHA-256 36d656d7e23f876e…

MALICIOUS

PDF

92.5 KB Created: 2021-03-30 09:01:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0ac475827a37cc4b307cc2748bc46bda SHA-1: d275854327b3a44e014fd724176bad683ba03d73 SHA-256: 36d656d7e23f876e9d778199961535ab1180ce6f1c7afb9d1aafaa1829816aba
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a suspicious domain, likely for credential harvesting or malware distribution. The document body, though heavily obfuscated, appears to be a lure related to a common online query.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=what+to+reply+when+someone+says+guess+what
    • https://cdn-cms.f-static.net/uploads/4469631/normal_602c6e252e490.pdf
    • https://jileninaniwepuz.weebly.com/uploads/1/3/4/7/134771173/ae7e1a0.pdf
    • http://sikevemekoma.mypressonline.com/pre_algebra_textbook_8th_grade.pdf
    • http://duwefazef.22web.org/69729129192.pdf
    • https://cdn-cms.f-static.net/uploads/4427523/normal_6040230ac4df2.pdf
    • http://sopafekidis.sportsontheweb.net/pebotorutesuzebotiteliruw.pdf
    • https://vokijovagugudis.weebly.com/uploads/1/3/0/7/130776016/5014155.pdf
    • http://xepidenad.scienceontheweb.net/pipixaxiworusugegorasavuj.pdf
    • http://zanovekolasin.mywebcommunity.org/91632846224.pdf
    • https://static.s123-cdn-static.com/uploads/4492281/normal_6008d27e7d429.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://miseparasunafit.rf.gd/multiplication_worksheets_with_answers.pdf
    • https://s3.amazonaws.com/tolivajupeku/ruzagutovosifidepifit.pdf
    • https://s3.amazonaws.com/dorobukasawituw/genki_second_edition_answer_key.pdf
    • http://bonanelokuweje.rf.gd/54813754232.pdf
    • https://s3.amazonaws.com/naxozelozude/85763388448.pdf
    • http://vuruwabudakase.epizy.com/keynote_app_presentation_template.pdf
    • http://xapuzafuzokuw.rf.gd/sejifulewupo.pdf
    • http://zetesapoxus.epizy.com/apple_watch_faces_nike.pdf
    • http://zisufabelez.epizy.com/new_odia_movie_song_zip_file.pdf
    • http://napalujimawoz.rf.gd/what_are_the_best_chess_openings_to_learn.pdf
    • http://karadefega.epizy.com/30507987313.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010688.bin
a28fcc4ba65d8171a55e8b87d646ac5d1dd213f66ab2b0026fd39e5ca5d32d1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10688 2900 bytes
font_01_sfnt_off000110ca.bin
df223026786ff68ef61b1da1d21dd8c58e032d47906f52f4db7b432d24ccb1a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110CA 5276 bytes
font_02_sfnt_off000122a4.bin
8085e85f7ab2ec424f2d1e8603e5adaf13eeac0702cda241d6a7218dd8b8c71c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122A4 2484 bytes
font_03_sfnt_off00012d46.bin
1e9631fd083094dddeef716aa13753d19f80ffb596b57918460dcb1f1f40bbc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D46 11160 bytes
font_04_sfnt_off0001534c.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1534C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.