Malicious PDF — malware analysis report

Static analysis result for SHA-256 39c7604169350815…

MALICIOUS

PDF

77.2 KB Created: 2021-04-01 19:30:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9daae5438094094edd8409b669d663fa SHA-1: d5a592905a0c72c31a7510858cd1b13683c74ff1 SHA-256: 39c76041693508150e7a1f819dc14538645705c7be4fe87895c7225150e37046
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified as malicious by ClamAV and an ML classifier. The document body, though heavily obfuscated, appears to be a lure related to technical diagrams, suggesting a phishing attempt to direct users to a malicious website. No scripts were extracted, but the presence of the malicious URL is a strong indicator of a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=how+to+draw+shear+force+and+bending+moment+diagram+pdf
    • https://cdn-cms.f-static.net/uploads/4495846/normal_60282b2b1ac42.pdf
    • http://tokesuditetu.getenjoyment.net/pukatebamemonamonew.pdf
    • https://static.s123-cdn-static.com/uploads/4501057/normal_5fe147069f0a7.pdf
    • https://cdn.sqhk.co/dekorasenu/hfrhcii/icon_clash_dri-_fit_fleece_hoodie_nike.pdf
    • https://static.s123-cdn-static.com/uploads/4421366/normal_5ffcd745c2884.pdf
    • https://cdn.sqhk.co/paxofipixag/ghdhjjc/97078340934.pdf
    • https://static.s123-cdn-static.com/uploads/4479673/normal_6006383f6d215.pdf
    • http://ridovise.sportsontheweb.net/10_ejemplos_de_dispositivos_de_proceso.pdf
    • http://nulatapukedu.scienceontheweb.net/what_are_some_cooperative_learning_strategies.pdf
    • https://cdn-cms.f-static.net/uploads/4402289/normal_604509b25ec58.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a48ba8b8-add6-444b-9415-b719db842979/38642844463.pdf
    • https://uploads.strikinglycdn.com/files/15221f90-2c46-4c5e-94e9-26a075b7c16e/juvixeloridowofimupelusa.pdf
    • https://uploads.strikinglycdn.com/files/5fdac545-e8b0-41a5-92b0-2aa7e819c07e/22936975255.pdf
    • https://uploads.strikinglycdn.com/files/3ceb8391-85ce-4b04-8164-4a2d76bb18b9/harry_potter_book_5_quizzes.pdf
    • https://uploads.strikinglycdn.com/files/715d9a31-3600-4172-9634-ed364731a7d6/nikon_coolpix_p510_tutorial_youtube.pdf
    • https://uploads.strikinglycdn.com/files/afb28a1c-e293-4229-b9b6-8191135e27b6/que_es_un_bosquejo_en_una_investigacion.pdf
    • https://uploads.strikinglycdn.com/files/7d5728ef-e82d-4d4d-ab4f-dba36c38655c/befabokirevegidiwig.pdf
    • http://mojozore.myartsonline.com/95762036499.pdf
    • https://uploads.strikinglycdn.com/files/00b64c00-8537-40f7-996c-2b214650e3de/the_monkey_king_1_movie_download_in_hindi.pdf
    • https://uploads.strikinglycdn.com/files/643b0fbb-02c4-4d05-ab4a-aa51d13309ca/sajigemexazakusoseti.pdf
    • https://uploads.strikinglycdn.com/files/f4fb43b9-4d03-4666-a873-80d06c121a0b/likevilop.pdf
    • https://uploads.strikinglycdn.com/files/531e165f-3617-4c3f-bada-1d0a6e33b4d0/26076423745.pdf
    • https://uploads.strikinglycdn.com/files/6957c58e-8259-42ad-9ef5-ea03a3b05b4d/how_to_put_paper_in_a_cash_register.pdf
    • https://uploads.strikinglycdn.com/files/110a5a8f-e0e7-4f38-b290-365da6444374/dukuborap.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ede5.bin
0ea923e4c8af2bd88a6e08591a26134c269a0198b748ae89bd8de03109d73d5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDE5 5732 bytes
font_01_sfnt_off0001014f.bin
eed8dcb2ee3ec46e37a726fce18b123d45850ab2d4f4486de798a5ee5138183a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1014F 11024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.