Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b731bf5ef56a554…

MALICIOUS

PDF

81.0 KB Created: 2021-03-07 05:54:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a36a9daf4902fee40148cc4eec2c8759 SHA-1: 416f5984a7e7eb2b43441d81f367fe2fe4093945 SHA-256: 3b731bf5ef56a5542d960e10b9157dee0df7fcdf7b10163b70558fe27ee3608c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a malicious domain. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or malware distribution. The document body, though heavily obfuscated, appears to be a lure related to 'teaching effectiveness'. No scripts were extracted, but the presence of external URIs suggests an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=evidence+of+teaching+effectiveness+with+no+experience
    • https://cdn.sqhk.co/fogunivugame/eAkMjip/rizupimivaduf.pdf
    • https://cdn-cms.f-static.net/uploads/4370077/normal_601badce3051f.pdf
    • http://kujazudoxiro.22web.org/tovatiwelazijegeba.pdf
    • https://cdn.sqhk.co/fipimomozuk/hhiS7AX/froberg_farm_review.pdf
    • http://wigojomet.22web.org/22554999286.pdf
    • https://cdn.sqhk.co/xurinuwame/c3yG4ih/uc_browser_download_video_ios.pdf
    • https://cdn-cms.f-static.net/uploads/4472481/normal_6040dd1d7f1ed.pdf
    • https://static.s123-cdn-static.com/uploads/4402963/normal_5ff9e4ee8d3bb.pdf
    • https://cdn-cms.f-static.net/uploads/4501980/normal_602b3d9faf965.pdf
    • https://cdn-cms.f-static.net/uploads/4391037/normal_5fe92417dc36a.pdf
    • https://cdn-cms.f-static.net/uploads/4470985/normal_6015bb208c784.pdf
    • https://cdn-cms.f-static.net/uploads/4368777/normal_60369075c5c00.pdf
    • https://cdn-cms.f-static.net/uploads/4387244/normal_60387f21134a4.pdf
    • https://static.s123-cdn-static.com/uploads/4449181/normal_5fcc34c2e7c9d.pdf
    • https://cdn.sqhk.co/gabisolovima/Ghbhdig/mibovotomo.pdf
    • https://cdn.sqhk.co/fanoxozowupe/O0idzO0/arrow_inserts_gold_tip.pdf
    • http://kugitipozad.22web.org/what_to_do_near_me_adventure.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://676a7a22-5bec-432e-92e0-9d4a0a27851c.filesusr.com/ugd/a1fb72_16831798acff4d9fa49d262b4f0b74e8.pdf?index=true
    • https://1ec9b6e7-17eb-4e1e-a994-ba5ce4cbdb7c.filesusr.com/ugd/d4a9d6_30e5fcb717894e61bb28902eea6ee244.pdf?index=true
    • https://5e3b32e6-a537-4a58-a531-ef303a468713.filesusr.com/ugd/120874_6d2ed4d4ca82429db618958094d5b6e5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/218b836b-ddf2-4812-9f3f-1cf175f50bb9/is_it_wrong_to_leave_work_on_time.pdf
    • https://7f03322d-63d6-449b-a8c2-a80beffeb2b6.filesusr.com/ugd/2994dd_84fc7f291eaa416ca11a3d891a459e05.pdf?index=true
    • https://uploads.strikinglycdn.com/files/73430362-d619-4d6d-bd86-64219375e588/73687257466.pdf
    • http://gadoxijumulop.epizy.com/xoxabes.pdf
    • https://275320ff-96dd-455a-9699-a0fdc58b27a5.filesusr.com/ugd/943725_a9ac565b0ce44b87b051373231f45bdb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/95bd0727-234b-47ef-9b73-4b26914da5f0/cub_cadet_lt1050_troubleshooting.pdf
    • https://uploads.strikinglycdn.com/files/5bdf2d98-7bc8-4068-ac75-2c720f1ec919/96261597846.pdf
    • https://uploads.strikinglycdn.com/files/984c99a9-225a-4ed0-ac38-44b90b8df771/42450835069.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001001a.bin
0b4dde4cca2bdf74d73a712edadd2c52cc79d4262419061c439922ce51940313		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1001A 5564 bytes
font_01_sfnt_off00011321.bin
d0fdc787f6b04a96c43772253b76cbceca9a25a9f98da9c225434d1cb16d9355		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11321 10196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.