Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e233a61e0427a2e…

MALICIOUS

PDF

87.4 KB Created: 2021-03-09 14:24:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f3bcc20d5d942bd5f396bfebccd2081d SHA-1: 5b47422d1e22188a66cfdbc7bdfc8d32a256ff15 SHA-256: 3e233a61e0427a2e1265128a777a695921db95146e16c0094830150026bf9a1c
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, with heuristics indicating it's a phishing lure. The embedded URL, https://jacksth.ru/award?keyword=fpu+allocated+spending+plan+pdf, likely leads to a malicious site. While no scripts were explicitly extracted, the PDF structure and the nature of the lure suggest it's designed to trick users into downloading further payloads or visiting phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=fpu+allocated+spending+plan+pdf
    • http://vutisonoj.sportsontheweb.net/whirlpool_quiet_partner_3.pdf
    • https://cdn.sqhk.co/vumuwuxa/Kjcggja/fruit_smash_apk_download.pdf
    • https://cdn.sqhk.co/mawejoxejobe/dclfHji/14923830010.pdf
    • http://gixitetopes.scienceontheweb.net/66525178941.pdf
    • https://static.s123-cdn-static.com/uploads/4413713/normal_5ffe886a7dacd.pdf
    • https://cdn.sqhk.co/jidulopavoji/jJKuhfZ/kozevaro.pdf
    • http://toramomegigex.22web.org/bhojpuri_video_dj_song.pdf
    • https://static.s123-cdn-static.com/uploads/4409609/normal_5fe2b1c041a77.pdf
    • http://fiwamixos.iblogger.org/the_penelopiad_audiobook.pdf
    • http://bomepufibawil.scienceontheweb.net/harcourt_math_practice_workbook_grade_4_teachers_edition.pdf
    • https://cdn-cms.f-static.net/uploads/4368756/normal_60261a70c6728.pdf
    • https://cdn.sqhk.co/wodelaganav/QCighcZ/jufinemegaxavaxonivumex.pdf
    • https://cdn-cms.f-static.net/uploads/4452148/normal_6017c6144f5f5.pdf
    • http://sudenusona.66ghz.com/holding_the_man_movie.pdf
    • https://cdn-cms.f-static.net/uploads/4369657/normal_603fa9e22b00d.pdf
    • https://cdn.sqhk.co/fowipovoji/YM7vhai/lopixowoburutiwo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://bezopiwuzalobit.rf.gd/apache_web_server_free_for_windows.pdf
    • http://wugulinutefi.rf.gd/wovuwojagavatafigipokosa.pdf
    • http://futezazunup.rf.gd/pro_tools_11_mac_crack_download.pdf
    • https://uploads.strikinglycdn.com/files/18fc72f4-b8b0-4fbc-b2d6-328ce800fc18/what_to_eat_on_elimination_diet_recipes.pdf
    • https://uploads.strikinglycdn.com/files/9d186df2-28f4-447b-9b5d-c5f7c5b1336e/30289654053.pdf
    • https://uploads.strikinglycdn.com/files/ab61677b-e1f4-415d-94b3-ec0144e6e624/xejuvizigodukunidef.pdf
    • http://zulojivikedeg.epizy.com/petojaned.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010b38.bin
26bf5472a801b899debf613d368f586f659cabedcf883df77f6ea43f24a53af9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B38 5064 bytes
font_01_sfnt_off00011c82.bin
1a69d8aa8030a4b75496ff90db418eb30214f5115752f0154666061100611878		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C82 10960 bytes
font_02_sfnt_off000141d1.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x141D1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.