Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ab37017c38e0a0f…

MALICIOUS

PDF

90.6 KB Created: 2021-03-21 07:15:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a2842b262411e4dfc4a1a555a8e1d58f SHA-1: 720a71f50e717caf749274cecc9016de40857fa6 SHA-256: 3ab37017c38e0a0f54cdd389a3f27ed8c81dd41634597ee41198a5ea0076d0e3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a critical heuristic firing for ClamAV detection. It contains an embedded external URI pointing to a suspicious domain, which is a common tactic for phishing or malware delivery. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=mage+the+ascension+merits+and+flaws
    • http://vodabutopidaru.getenjoyment.net/what_kind_of_character_is_the_nurse_in_romeo_and_juliet.pdf
    • http://garantiya62.ru/how_to_use_compleat_lexical_tutorcwoce.pdf
    • http://topplafond.xyz/a_level_past_papers_physicsbe7fb.pdf
    • http://sdfsdfsdf.shaketorch.com/dawn_of_titans_mod_apk_obb.pdf
    • http://sovolox.getenjoyment.net/kulojafufinegarixozisox.pdf
    • http://songkfrk.site/hp_officejet_pro_8615_manual9uuqp.pdf
    • http://xewuxufulizifu.22web.org/37983119940.pdf
    • http://nujokopinud.iblogger.org/72959916850.pdf
    • http://presentinsta.online/121807640391xict.pdf
    • http://kidiwutimako.mygamesonline.org/xedepew.pdf
    • http://kogutojoveso.mywebcommunity.org/pairing_mini_jambox_with_iphone.pdf
    • http://rapegutuxipik.22web.org/pediatric_septic_shock_guidelines_2018.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/82f0fe69-a4c9-4964-a8bb-0d2e22962822/where_is_dometic_made.pdf
    • http://xumuritikoxuk.myartsonline.com/74199448914.pdf
    • http://xobebol.onlinewebshop.net/koxixefopasasimori.pdf
    • https://uploads.strikinglycdn.com/files/901d2225-f62c-4d30-8002-048966c75eab/71910109379.pdf
    • https://uploads.strikinglycdn.com/files/ba6869c4-5f51-4723-9a4c-46ba77d10074/emerson_led_tv_will_not_turn_on.pdf
    • https://uploads.strikinglycdn.com/files/146e22fc-d725-4b9f-9d1c-0688b1c0be2c/hp_laserjet_p3015_printer_51.10_error.pdf
    • http://wilosokanik.myartsonline.com/overview_of_networking_concepts.pdf
    • http://dasufolizimifub.rf.gd/bestiario_medieval_ilustrado.pdf
    • https://uploads.strikinglycdn.com/files/f1b612c7-31e6-4178-81d0-1067b8a4ab46/top_5_best_forex_strategies.pdf
    • https://uploads.strikinglycdn.com/files/8515d42a-16cd-484c-8e15-542ea51545bd/why_is_my_uconnect_bluetooth_not_working.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000126f2.bin
a941cac8d605a914b909cfc5c3676d3a36f03a9e672edf2a7ea31869a1ea5e61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x126F2 5532 bytes
font_01_sfnt_off000139b7.bin
69f5b4efe4410ba4289f324f9105b05e9161b1dd59f600b9a658b51ca158f647		 pdf-font-stream PDF embedded font (sfnt) at offset 0x139B7 10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.