Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e4bb276143522fa…

MALICIOUS

PDF

102.1 KB Created: 2021-05-11 11:34:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 699d3f317d08a808d579bea99d1603a8 SHA-1: 5c08b9a38d370cc409e6c8338be9e4e455f3c20f SHA-256: 3e4bb276143522fa4d891ad5f7e0077c7dd514cbf087ea1fa0027cf230aee0e6
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified by both heuristics and a machine learning classifier as malicious. The document body, though heavily obfuscated, appears to contain text related to the URL's query parameter, suggesting a phishing or social engineering lure. The presence of an external URI strongly suggests an attempt to redirect the user to a malicious site, likely for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=what+does+chinese+character+ren+mean
    • https://cdn-cms.f-static.net/uploads/4444356/normal_606819265bfd4.pdf
    • https://cdn-cms.f-static.net/uploads/4445564/normal_60530039ce268.pdf
    • http://nunedarozozo.22web.org/95317499330.pdf
    • https://cdn-cms.f-static.net/uploads/4480581/normal_60547779c4583.pdf
    • https://static.s123-cdn-static.com/uploads/4446400/normal_5febd43f724cd.pdf
    • https://static.s123-cdn-static.com/uploads/4414339/normal_5ff35f4de6b8e.pdf
    • http://stav-games.ru/716021547585g9v2.pdf
    • http://maewallace.com/kuvutajaffmc2.pdf
    • http://dapumad.iblogger.org/60332044744.pdf
    • http://avto-document.site/98591107807w97tx.pdf
    • https://cdn-cms.f-static.net/uploads/4369306/normal_605fbc067fea1.pdf
    • http://rozikukaganu.22web.org/random_amplification_of_polymorphic_dna.pdf
    • https://static.s123-cdn-static.com/uploads/4421342/normal_5fce22b5855a4.pdf
    • https://cdn-cms.f-static.net/uploads/4412887/normal_60437c3c93b2d.pdf
    • http://winfreeiphone.xyz/825264188283qvqr.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://ab60d57a-1f92-408f-9079-0b325776b613.filesusr.com/ugd/724fb5_f824b4e0435c4da5a2959539e6be1367.pdf?index=true
    • https://s3.amazonaws.com/susonanezaj/akshar_publication_general_knowledge_book.pdf
    • http://topajikof.epizy.com/hair_clippers_cordless_set.pdf
    • https://s3.amazonaws.com/numegubowalonan/parts_of_speech_quiz_printable_8th_grade.pdf
    • http://mumizoxagoguros.rf.gd/gauge_pressure_vs_absolute_pressure.pdf
    • https://c84ffda1-e72a-45fa-8ce8-a771970cf326.filesusr.com/ugd/9fd656_762a934fc42249bb86cb60c7b6e7c9b8.pdf?index=true
    • https://s3.amazonaws.com/dudurat/koriso.pdf
    • https://56352102-112a-4456-a677-0775450c4ed3.filesusr.com/ugd/ed4e87_e2a9dff1581b4808ae35d8d3f108bb95.pdf?index=true
    • https://2cc935b2-b854-4d3d-8499-e3bac5ec7384.filesusr.com/ugd/2e82fc_e04d3be2a1d54d80a50ddc585d184b53.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001336c.bin
b14ac38b7e52c954d4b7c2cb661ab42bb3ff81fda8c50bb9c5e0749a22c78442		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1336C 3500 bytes
font_01_sfnt_off0001400c.bin
88ba5e5aa7d4e9971adbba4fb3d50f21b79e1efafba1743c77cc3188555a13b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1400C 4948 bytes
font_02_sfnt_off000150ab.bin
ce8b444dbf0fd0e3e390805836e89028b51d11c0e0cf100e4aa018df4f259026		 pdf-font-stream PDF embedded font (sfnt) at offset 0x150AB 13776 bytes
font_03_sfnt_off00017a5d.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17A5D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.