Malicious PDF — malware analysis report

Static analysis result for SHA-256 3edaebb8e20d4926…

MALICIOUS

PDF

80.3 KB Created: 2021-05-29 06:51:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8e2c51f4b85354c234d3b57aa01c1c4 SHA-1: 8ec70f5c42aa064300ff7f9b29b1ff682c794edc SHA-256: 3edaebb8e20d4926b704837cdbfecf14264ad1859b5df6e183b3ec125c526428
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URL pointing to a suspicious domain, likely intended to deliver a secondary payload or redirect the user to a phishing site. The presence of a 'download button' heuristic further supports the phishing lure attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/123?utm_term=b.+ed+admission+form+2019+mp
    • https://cdn-cms.f-static.net/uploads/4381766/normal_602c12357072d.pdf
    • https://cdn-cms.f-static.net/uploads/4389568/normal_604925a025d70.pdf
    • https://cdn-cms.f-static.net/uploads/4498345/normal_5fda50b623094.pdf
    • https://static.s123-cdn-static-d.com/uploads/4386092/normal_60b1b2c06393c.pdf
    • https://static.s123-cdn-static.com/uploads/4417526/normal_5ff9c17216b92.pdf
    • https://cdn-cms.f-static.net/uploads/4387421/normal_6046764d96ea0.pdf
    • https://cdn-cms.f-static.net/uploads/4489844/normal_5fe9ef0024091.pdf
    • https://cdn-cms.f-static.net/uploads/4453560/normal_60336ca032e04.pdf
    • https://static.s123-cdn-static.com/uploads/4381094/normal_5fcd1c6f0fbb1.pdf
    • https://cdn-cms.f-static.net/uploads/4415326/normal_60182df13441d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/ffec4cf4-e32e-4070-844d-30db4af59544/84258731072.pdf
    • https://uploads.strikinglycdn.com/files/e70e645c-a4cf-4a60-874d-315ea2d8042c/viper_3305v_security_system.pdf
    • https://uploads.strikinglycdn.com/files/5f0d2184-7925-4c81-bb18-ae12e6d36ff8/dell_latitude_e6530_drivers_download.pdf
    • https://uploads.strikinglycdn.com/files/9885b4fc-d281-43fa-8314-d48f5f34a14b/is_innisfree_a_korean_product.pdf
    • https://uploads.strikinglycdn.com/files/ff9539cc-b0f2-412b-aaff-8aeff7361b4f/83078659856.pdf
    • https://uploads.strikinglycdn.com/files/2f7ed676-3c22-4c4b-90d7-b30bdf4e51db/98177597113.pdf
    • https://uploads.strikinglycdn.com/files/83b6b08c-2898-4f2c-bcef-6085def970fe/warm_bodies_streaming_free.pdf
    • https://uploads.strikinglycdn.com/files/7b99e344-bb00-439a-9225-3751ea4378e1/9851141098.pdf
    • https://uploads.strikinglycdn.com/files/d88dc263-46fa-443d-bd95-dddff1dca23e/lulidegozaradopadonux.pdf
    • https://uploads.strikinglycdn.com/files/d9ac1288-17a3-49eb-9a99-755eaec189f7/24165022926.pdf
    • https://uploads.strikinglycdn.com/files/dacee0d0-ead5-4274-b8bf-20d1b54f7187/defupunoze.pdf
    • https://uploads.strikinglycdn.com/files/81eb6533-b217-4ed7-bdf4-f4c5c1dd1e0e/mukok.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec7f.bin
876c47f12a890586e37cd0f57299eb97d002cbe4226a43cecea2447031a688d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC7F 5424 bytes
font_01_sfnt_off0000fed3.bin
646b31385974b77d54c7a9e5c783f989bee19d1aa2c099fc4389a8febed0f6d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFED3 10936 bytes
font_02_sfnt_off0001240f.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1240F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.