Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f4ad501eb806118…

MALICIOUS

PDF

90.4 KB Created: 2021-04-18 18:24:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 58208e54aba50a50ecb2b01befcdff03 SHA-1: e9d7646e5d13a1bafcbcd82ba06c7395724b351b SHA-256: 3f4ad501eb8061185972940f61fd28c1884192ce1d8ca8768550d25ed54ff935
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, which is a strong indicator of a phishing or malware distribution attempt. The ML classifier and ClamAV detection further support its malicious nature. Although no scripts were explicitly extracted, the presence of external URIs suggests the document is designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=operating+systems+concepts+9th+edition+slides
    • https://static.s123-cdn-static.com/uploads/4502336/normal_5ff500634a0d1.pdf
    • http://bajuzupur.22web.org/everyday_mathematics_grade_3_volume_2_answers.pdf
    • https://cdn-cms.f-static.net/uploads/4375700/normal_6056092f60d94.pdf
    • https://cdn-cms.f-static.net/uploads/4417205/normal_604459e240de2.pdf
    • http://fusubakitakudup.66ghz.com/texas_car_title_transfer_application_form.pdf
    • https://cdn.sqhk.co/tidilotofuka/T5kGjfr/xizoratoromamiwujil.pdf
    • https://cdn.sqhk.co/dunuxorigu/hhcVugd/bluebird_care_uniform.pdf
    • http://xubanapirobula.mypressonline.com/febrile_convulsion.pdf
    • http://vedivux.mygamesonline.org/11490296672.pdf
    • https://cdn.sqhk.co/wukikanas/imKxY3P/risodobexanav.pdf
    • http://kimisorunutom.medianewsonline.com/cable_tray.pdf
    • http://ketenimolupev.sportsontheweb.net/94082921772.pdf
    • http://navevukosuso.mypressonline.com/keurig_b145_office_pro_parts.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://63c5840e-267c-49ed-94d3-fc9f9d8b9c0b.filesusr.com/ugd/8c5bc8_c34d22c695c249a79bb14725688f49f3.pdf?index=true
    • http://nivawuxiki.rf.gd/rukato.pdf
    • https://e46eb8ae-11b5-47af-91b5-79e2db369635.filesusr.com/ugd/f84671_1d46e0be13024ec098f1fb2dd1ec4062.pdf?index=true
    • https://1094d5c0-a920-47c7-a1de-7e2d56a92d84.filesusr.com/ugd/47b1e8_89bfd18a6a904b1ea90bcb1995b72758.pdf?index=true
    • https://f3c4034a-4a94-4c47-b6c5-0445626d7bf8.filesusr.com/ugd/655f09_301e588b8aa149c5b860795c2a8dc430.pdf?index=true
    • http://rorazizaxaf.atwebpages.com/basics_of_python_3.pdf
    • http://kibagog.onlinewebshop.net/water_pollution_in_marathi_free_download.pdf
    • https://61249681-e2d1-4375-841a-b3723294d79c.filesusr.com/ugd/3d514e_d12a5e98b90a4a428ee64372778b5105.pdf?index=true
    • http://sobumewupuvuve.epizy.com/51110997381.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000118cf.bin
36a771d8c8b6bd56ea72ca6fd99e7b80a970f98b2c8936170082b0ef52435a3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x118CF 1876 bytes
font_01_sfnt_off000121de.bin
9f4298f6bcd5ffe683435232726dd7ed14ea5e60126d757758255db25c2eb769		 pdf-font-stream PDF embedded font (sfnt) at offset 0x121DE 5772 bytes
font_02_sfnt_off00013554.bin
22a480a820306cb4e6e6c0685dd17b75868aeb4cee51f3e578b8c5184d08d81d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13554 11284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.