Malicious PDF — malware analysis report

Static analysis result for SHA-256 37404a1a661c9b9a…

MALICIOUS

PDF

93.7 KB Created: 2021-04-01 13:33:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b00a081b9f7ba8f459e4ac1ef68946e1 SHA-1: 7485ccc5fbfbaaf89667c5739d8650fc919f570b SHA-256: 37404a1a661c9b9aa2114a2bb1017a0b7f65221a7eb5db68a4598671183de7a4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an external URI pointing to a suspicious domain, and ClamAV detection confirms it as a phishing trojan. The ML classifier also flagged it with high confidence. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the detection suggest it's designed to redirect users to malicious sites, likely for phishing or to download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/aws?utm_term=que+es+una+composici%25C3%25B3n
    • https://cdn.sqhk.co/jabuvilir/0caUlgd/xivur.pdf
    • http://nuvotana.22web.org/bukhari_sharif_hadees_download.pdf
    • https://jimuvidagonolab.weebly.com/uploads/1/3/1/6/131636746/60338e7.pdf
    • http://jerabigemoz.sportsontheweb.net/kinomagak.pdf
    • http://pokuwasu.iblogger.org/windows_shortcut_keys_not_working.pdf
    • https://wikexedijul.weebly.com/uploads/1/3/4/6/134659224/zuziwit.pdf
    • http://zabemaladameg.medianewsonline.com/what_is_a_cultural_landscape.pdf
    • http://malapiwo.66ghz.com/chef_s_choice_food_slicer_manual.pdf
    • http://sawemawe.mywebcommunity.org/muzesuwinut.pdf
    • http://bibuzikufaje.mygamesonline.org/xigazugozikubebi.pdf
    • https://cdn.sqhk.co/tuzevawu/1ojfgcj/sirona_support_canada.pdf
    • http://zumewidife.mygamesonline.org/how_to_open_a_file_in_garageband.pdf
    • http://fuvesozufinefi.medianewsonline.com/gone_with_the_wind_summary_chapter_1.pdf
    • https://lanedipeluta.weebly.com/uploads/1/3/4/6/134666686/xulikopuw_tisajenexi.pdf
    • https://tavifarexup.weebly.com/uploads/1/3/4/6/134611028/f9a34663358.pdf
    • http://boxijogirexu.medianewsonline.com/ieee_papers_on_artificial_intelligence_2020.pdf
    • https://cdn.sqhk.co/karopepagu/Sw7jj9c/85945973716.pdf
    • https://cdn.sqhk.co/pixafosabow/S3tAHgg/jozexuru.pdf
    • http://xaritilufowav.22web.org/48005077797.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://mibobugaf.rf.gd/checklist_for_taking_over_a_business.pdf
    • http://mutodilevo.epizy.com/mathematics_formulas_in_telugu.pdf
    • http://jojulupijawide.onlinewebshop.net/setifapikudewuve.pdf
    • http://betakudo.atwebpages.com/xenexujuzup.pdf
    • http://zomimek.epizy.com/winure.pdf
    • http://gaxegumulot.rf.gd/52049788320.pdf
    • http://bupazomop.rf.gd/dubai_map_2020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012d7d.bin
f3166a48be45fa3ee50d727f6a3c73a0a6a038f10b71c459eed505c5679fee09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D7D 5148 bytes
font_01_sfnt_off00013eb0.bin
4431da50e24e57e1e1fc27c2cac295141bb2ae0e774289b441d3f6edfb7c0993		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13EB0 13176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.