Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c793906d014c21f…

MALICIOUS

PDF

75.4 KB Created: 2021-02-18 02:06:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 156a58f2bde4dde4cca0613b47c87064 SHA-1: 2892da8169def68f34b0b94b84a99cc509edbcbf SHA-256: 3c793906d014c21f0f745df4a0bb58bdea799b826636cb1f8e231fe6e0eac0e8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI that points to a suspicious domain, likely intended to redirect the user to a malicious site. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it's designed to exploit users through deceptive content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=spss+survival+manual+5th+edition+amazon
    • https://cdn.sqhk.co/pakebisas/gghiXie/76126161124.pdf
    • http://fijixedi.22web.org/firefox_60._0._1.pdf
    • https://cdn-cms.f-static.net/uploads/4385004/normal_5fd16a3d7781e.pdf
    • https://cdn.sqhk.co/temirikuji/fnghXkI/bapeven.pdf
    • https://cdn.sqhk.co/dolitife/iha74hc/pawn_stars_the_game_most_expensive_item.pdf
    • http://wizudaneku.iblogger.org/mokivifuwetalo.pdf
    • https://cdn.sqhk.co/kikolibub/VgdBvji/2790571292.pdf
    • http://gidepel.22web.org/beforward_toyota_hiace_van_manual.pdf
    • http://lolabarafusiru.iblogger.org/rilopojajabilesosoniludaw.pdf
    • http://piwudev.iblogger.org/battle_for_wesnoth_strategy_guide.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://vejaxekeni.epizy.com/adventure_communist_gold_hack_apk.pdf
    • https://s3.amazonaws.com/baposivarabuj/bluestacks_for_windows_10_pro.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9a1.bin
e4fc67f404f24656eaed168ddfae3ef6bb2287c789c80554311a82974524c8d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9A1 5420 bytes
font_01_sfnt_off0000ebe2.bin
254fe4ab28d54e97ac5b052ff22211f27a186f7f7d48ee352453343666e24790		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBE2 11664 bytes
font_02_sfnt_off0001120e.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1120E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.