Malicious PDF — malware analysis report

Static analysis result for SHA-256 4116beb93303d3ba…

MALICIOUS

PDF

80.4 KB Created: 2021-04-04 19:01:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 342e3202267bce0abba8d93b361870ef SHA-1: 7cd3f52596c091ab9af58c2b0c8e47b5e6893673 SHA-256: 4116beb93303d3ba266dc9edf3f986356590ea63afeb4a504d1d511cf8c58a1e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URL pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. Although no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest an attempt to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=exercicios+de+arcos+e+angulos+na+circunferencia+pdf
    • http://taxevidel.medianewsonline.com/dnd_5e_top_classes.pdf
    • http://russianstravel.ru/where_are_danby_products_madelg9r9.pdf
    • http://mynasert.online/486848909146emnj.pdf
    • http://fapseo.ru/180017102021l3jk.pdf
    • http://kkkirrreeee.space/gusazigobivajasavesl9s7.pdf
    • http://xovumajinobog.iblogger.org/40385146540.pdf
    • http://bokaxakoz.sportsontheweb.net/geometric_figures_engineering_drawing.pdf
    • http://buytoday.cc/vuzikabalegakaxoli3acay.pdf
    • http://tavajan.iblogger.org/xamibuvo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://puxedevonizu.epizy.com/xibedo.pdf
    • http://rupeguv.epizy.com/how_to_light_a_jotul_gas_stove.pdf
    • http://zulojivikedeg.epizy.com/52230368753.pdf
    • https://d7ae471b-a447-437d-81b4-4e603f8679d9.filesusr.com/ugd/0a3240_4c9377d92e1d4e39985616b6198973de.pdf?index=true
    • https://4123e755-5e7e-4fb8-b167-49ba90d37259.filesusr.com/ugd/fd3290_6a22f1346fa34102aef333459da78f0e.pdf?index=true
    • https://57933e30-1e86-4cbe-ad2b-777cb72f9932.filesusr.com/ugd/235f1a_cd6394b5d8a7420db9b7c1ebcbf196e0.pdf?index=true
    • https://47a25507-5c4f-4e73-9b7c-0c49514c8174.filesusr.com/ugd/e00bd3_089a06c812f74b8a97d3ff3afb2f8a04.pdf?index=true
    • https://1b65b899-5fad-42bd-af9e-a3fb1d6a4c80.filesusr.com/ugd/a2ebd8_2f165732c31a4ac9ab24e40611e318b2.pdf?index=true
    • http://xemunebo.atwebpages.com/4725479717.pdf
    • http://najexenij.onlinewebshop.net/bcs_question_bank_file_download.pdf
    • https://76b44699-1094-4fd8-8d4a-70b7be8159c3.filesusr.com/ugd/c450b2_463aa0c8d1674905a0d790e1b8db2233.pdf?index=true
    • http://jafixomedimun.onlinewebshop.net/48609468404.pdf
    • http://manosotidokef.myartsonline.com/98437403568.pdf
    • https://bc260b4e-efc2-469d-9102-9c7234992d76.filesusr.com/ugd/b1b3ad_1a10ef62afda4b2f867abf865dce2c16.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f564.bin
d3895c88fbe7f93f812996707f8de0f29293b8082daec9707ab1cd1348a8e820		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF564 5348 bytes
font_01_sfnt_off000107b3.bin
7b9663b58b9f060abc9ba8ccaf777c0d8530a313c34127ef617a071604aaffd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107B3 14464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.