Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ecb56f095bc8056…

MALICIOUS

PDF

88.1 KB Created: 2021-04-02 18:44:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 06771b155df016ecc3229965e9b59791 SHA-1: e304828260c7d659aab61c6c9693ad1a3fabdd8d SHA-256: 3ecb56f095bc80568350eaf6ead1efd038e16dfa7ce04b3ccea99b98a525b77b
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier indicating a high probability of maliciousness. The 'SE_CALLBACK_LURE' heuristic specifically points to a callback phishing or tech-support scam pattern, where the document likely prompts the user to call a provided phone number. While no scripts were extracted, the presence of external URIs suggests potential redirection or payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=when+does+my+ham+radio+license+expire
    • http://kmplitka.shop/is_word_crush_puzzle_game_free03450.pdf
    • https://cdn-cms.f-static.net/uploads/4404297/normal_6046bab3d5e29.pdf
    • https://cdn-cms.f-static.net/uploads/4421354/normal_6064bc8a75984.pdf
    • http://world-wildshop.com/how_do_i_change_my_wifi_settings_on_my_hp_printer2gx26.pdf
    • http://bunutib.mywebcommunity.org/chapter_two_literature_review.pdf
    • https://cdn-cms.f-static.net/uploads/4476443/normal_600a6546e1e78.pdf
    • http://mishgen.com/chernobyl_2019_sub_indomc2ji.pdf
    • http://hocostyle.ru/65123731839b5xxj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://uploads.strikinglycdn.com/files/92ee8bf0-d2da-47ef-88c9-e6064a7d3829/muxopipugegog.pdf
    • https://uploads.strikinglycdn.com/files/2f205567-10b2-4889-9b96-ee27d995c502/the_5th_wave_2_trailer_2019.pdf
    • http://xojudemavu.onlinewebshop.net/lewefisukuraxewo.pdf
    • https://uploads.strikinglycdn.com/files/dfe43b47-1568-4f06-80aa-c05ae96447b4/7107534181.pdf
    • https://uploads.strikinglycdn.com/files/55454d0c-835e-4c3e-a0b9-b43fb7d59dee/mifinusoviwuluwivu.pdf
    • https://uploads.strikinglycdn.com/files/397ba7e0-e2a5-417f-a6fd-495a54322538/pusuwiziraf.pdf
    • https://uploads.strikinglycdn.com/files/ec4f0d37-1ee3-425c-8b3e-5db16c7e5f8f/the_last_song_cast_miley_cyrus_lyrics.pdf
    • https://uploads.strikinglycdn.com/files/16387778-241a-4873-96a2-fabbbdf9b91f/takaki_a_different_mirror_chapter_5.pdf
    • https://uploads.strikinglycdn.com/files/2d0bdff8-0ae2-42cb-bee7-c1ab440ebdae/keurig_mini_coffee_maker_not_working.pdf
    • https://uploads.strikinglycdn.com/files/accc136b-a5ed-47cf-9446-b562890b0d17/pesazasuxetunuzipexoso.pdf
    • https://uploads.strikinglycdn.com/files/e3ec70ec-ba14-470d-ae48-23ed9a2ccc02/how_do_you_change_the_brightness_on_a_calculator.pdf
    • https://uploads.strikinglycdn.com/files/14872b7d-7dfd-4e01-b61a-89f31fdd4473/78703992546.pdf
    • http://xusapibu.onlinewebshop.net/77661303879.pdf
    • https://uploads.strikinglycdn.com/files/c1a065bb-4106-4692-90fd-aff4be0cf342/how_to_make_pop_art_on_procreate.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010699.bin
03cd98e085d1736033ec1d31a527d8b2d55726c4c72f12b0ef30fe26e7c0f434		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10699 5496 bytes
font_01_sfnt_off00011929.bin
66fe4931a70f09ade68707bf76d307803d63fe0a1a5b346b9647d9a09ba5e133		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11929 6600 bytes
font_02_sfnt_off00012ab5.bin
ee4d073164996877369a3e7d23c387beb697dcb754e9723770e18635869dd749		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AB5 11832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.