Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b8452dca5796777…

MALICIOUS

PDF

78.3 KB Created: 2021-01-19 03:44:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1c6399ebabe72bdf62f04f87dd40a44c SHA-1: d32aa51d3dfa39253f952d57a6ed3f2e8ed1f5af SHA-256: 3b8452dca5796777901a0735ae1333e4a4356f3e2b6a8996b393e02361888045
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains a URL disguised as an application guide. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. No scripts were extracted, but the embedded URL is the primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/aws?utm_term=university+of+amsterdam+application+guide
    • https://static.s123-cdn-static.com/uploads/4380867/normal_5fed01a08cc6d.pdf
    • http://manekobe.22web.org/53949339900.pdf
    • https://cdn-cms.f-static.net/uploads/4369331/normal_5fa45537cd6e6.pdf
    • https://static.s123-cdn-static.com/uploads/4409098/normal_5fdcb10e67337.pdf
    • https://cdn-cms.f-static.net/uploads/4500677/normal_5fd96c65b08eb.pdf
    • https://static.s123-cdn-static.com/uploads/4465924/normal_5ff6783bd382c.pdf
    • https://static.s123-cdn-static.com/uploads/4479446/normal_5ff97a24ea00b.pdf
    • https://site-1166710.mozfiles.com/files/1166710/formula_amounts_by_age_ml.pdf
    • http://doxisolawasusig.66ghz.com/don_best_injury_report.pdf
    • https://static.s123-cdn-static.com/uploads/4484364/normal_5ff81b1024b73.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://xuvunemomot.epizy.com/buvefofabipalufivugonibe.pdf
    • https://s3.amazonaws.com/wovigebi/the_greatest_showman_video_songs.pdf
    • https://s3.amazonaws.com/loranoduzuja/tewizexikiwunumi.pdf
    • http://samanoniminowut.epizy.com/foxtel_tv_guide_nfl.pdf
    • https://s3.amazonaws.com/padadutiseni/19644935307.pdf
    • http://xijuroluzuka.epizy.com/arabic_fonts_for_microsoft_word_2010.pdf
    • https://s3.amazonaws.com/vanatul/misewetusajusutove.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f391.bin
46504fd2fe1052ab6cff7542249318b5228c40702ae850707cd60ecb98398dbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF391 5628 bytes
font_01_sfnt_off000106b7.bin
596ce3252c4b5a7459d5030163284e792dea84c0dfbb28faaa470f02db58d59d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106B7 11420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.