Malicious PDF — malware analysis report

Static analysis result for SHA-256 3df86c0d184d6cd6…

MALICIOUS

PDF

78.4 KB Created: 2021-04-04 01:54:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d1b4e1772632fc6315d28e7411faea91 SHA-1: d212f394ff8c1f8584a66d7c69f20f5de13593d1 SHA-256: 3df86c0d184d6cd6d29371d6d2ecff21fad7708762208d60ba77d0792c8bf2ce
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating it is likely a phishing or trojan distribution attempt. It contains an embedded URI pointing to a site offering game mods, suggesting a lure to download further malware. No scripts were extracted, but the presence of external URIs and the overall detection profile strongly suggest a malicious intent to trick users into downloading harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=call+of+mini+zombies+mod+apk+revdl
    • http://vevaroda.scienceontheweb.net/gewagobovikotiz.pdf
    • https://cdn.sqhk.co/kupawusel/hdjbihT/red_lobster_coupons_doordash.pdf
    • http://interior.estate/idle_home_makeover_download5121q.pdf
    • https://cdn.sqhk.co/rovonoset/gdSvPje/42539506617.pdf
    • http://2220202.ru/oral_b_triumph_professional_care_bluetooth_anleitungnpmtg.pdf
    • https://cdn.sqhk.co/joziroluxu/nDndgfE/royal_family_news_from_around_the_world.pdf
    • http://copyrightreports.com/xitafosxntw3.pdf
    • http://wacc-cat.org/ridgid_air_compressor_ol50145mw_manual36mqj.pdf
    • https://cdn.sqhk.co/vimerokil/Vgehc13/cupcake_art_ideas.pdf
    • http://niwizonoleror.mywebcommunity.org/58862725086.pdf
    • http://sifaritube.sportsontheweb.net/bible_timeline_chart_jeff_cavins.pdf
    • http://vijevejumozugim.sportsontheweb.net/nazijasisefeni.pdf
    • https://cdn.sqhk.co/jagibuvat/hfjzgi4/13040486631.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/bezorito/slack_app_for_windows_10.pdf
    • https://8d928d4c-4e32-4dc6-8093-d383c90b3cca.filesusr.com/ugd/b5d49c_4e0ff1e8152f48a9931be63f13570844.pdf?index=true
    • https://4c2674ec-1430-4cec-a455-d6a35d10586e.filesusr.com/ugd/38955b_7e933d9ecf6a4be88c66a7388d815ee4.pdf?index=true
    • http://tafituza.rf.gd/polk_audio_3.1_sound_bar_review.pdf
    • http://vapufebifuv.epizy.com/cycle_cycle_full_song.pdf
    • https://44eeb0f0-4dc9-4d8b-b3fd-cc7ace98e90e.filesusr.com/ugd/a083a1_22aec7f9074a4ee5806221098b30bdd2.pdf?index=true
    • http://gigegukamo.epizy.com/elementos_halogenos.pdf
    • https://s3.amazonaws.com/radubozufiwo/73448933169.pdf
    • http://zosajaxuv.epizy.com/xewigolo.pdf
    • https://488a161d-122f-4e25-b35e-34d1d0e27b34.filesusr.com/ugd/bbc910_e239f72fbfa74cd1a356804aa2555ddc.pdf?index=true
    • https://s3.amazonaws.com/xisefowu/jordan_canonical_form_diagonalizable_matrix.pdf
    • http://suxorodefis.epizy.com/aquelarre_de_muecas.pdf
    • https://s3.amazonaws.com/woneketelak/22849206623.pdf
    • http://paxerakomis.onlinewebshop.net/42942751095.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f32a.bin
5a73755c0ade1a1ff808f496c2c767d5421ace166d1c5667c34309f570dbe58a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF32A 5404 bytes
font_01_sfnt_off0001057c.bin
c7e27d2c9b625a4cb0c5ddd573eea35df511b8c9b0683a8a64e7a08739abce40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1057C 11220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.