Malicious PDF — malware analysis report

Static analysis result for SHA-256 42ebdba656b5c0fb…

MALICIOUS

PDF

87.0 KB Created: 2021-03-15 05:32:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 26dee1213d658dd55c91207ed840bf0c SHA-1: 738a1d53e6fa6a2aba8e6fc305c7c7a7f5a672db SHA-256: 42ebdba656b5c0fb844b746114aed482ddf155a7b8505ef427a97984e1615bd6
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that leads to a suspicious domain, likely intended to host a malicious payload or phishing page. Although no scripts were directly extracted, the PDF structure and embedded URI suggest an attempt to trick the user into visiting a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=ramadan+2020+calendar+nyc
    • https://cdn-cms.f-static.net/uploads/4374704/normal_603df085b1a30.pdf
    • http://ruguwafe.scienceontheweb.net/how_to_interpret_data_in_science_with_r.pdf
    • https://cdn-cms.f-static.net/uploads/4489402/normal_60281be57d138.pdf
    • https://rofixuninapo.weebly.com/uploads/1/3/5/3/135313709/52b8dae5db12.pdf
    • https://cdn-cms.f-static.net/uploads/4491686/normal_5fd7d8a8ea218.pdf
    • http://lojapidabud.mypressonline.com/68697057977.pdf
    • https://cdn-cms.f-static.net/uploads/4374371/normal_602036c89ca04.pdf
    • https://xobiduri.weebly.com/uploads/1/3/1/4/131437628/33a243dd5e35.pdf
    • https://static.s123-cdn-static.com/uploads/4455179/normal_5fec7d986793a.pdf
    • https://nogapixefakul.weebly.com/uploads/1/3/4/5/134590999/zilol.pdf
    • https://static.s123-cdn-static.com/uploads/4366325/normal_6000ac0596f53.pdf
    • https://gazuxupoje.weebly.com/uploads/1/3/4/1/134108966/72e2fa.pdf
    • https://cdn-cms.f-static.net/uploads/4377112/normal_6048cfc5d1d4b.pdf
    • https://cdn-cms.f-static.net/uploads/4467277/normal_6048d34dd0952.pdf
    • https://gumewixolasadaz.weebly.com/uploads/1/3/4/6/134659592/6495778.pdf
    • http://kutatit.getenjoyment.net/gravity_falls_journal_3_pages.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/temujonuwu/boiler_control_system_engineering.pdf
    • https://s3.amazonaws.com/winumigutam/purble_place_juego_apk_android.pdf
    • https://uploads.strikinglycdn.com/files/2590d082-eb2e-484b-aabc-11da2c138d98/45108932613.pdf
    • https://uploads.strikinglycdn.com/files/f362342e-f255-4ff6-aa3d-6b43fa373ffc/basudit.pdf
    • https://s3.amazonaws.com/xazarujokemus/altice_one_app.pdf
    • https://uploads.strikinglycdn.com/files/072a2714-300e-4683-a5b2-b67b19076ff2/supply_chain_management_online_course_in_india.pdf
    • https://s3.amazonaws.com/fibesezati/kobofu.pdf
    • https://s3.amazonaws.com/jeromopelurab/lagu_betrayal_michael_learn_to_rock.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00012498.bin
9cdc1a0a30022056ca93084275449a749462f08845e59220dc7e31118fe675af		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12498 22864 bytes
font_00_sfnt_off0000ed0f.bin
cc5e2efa1b369acba435750e36f17e565cebad06de5894500a1dc6838af91aec		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED0F 5288 bytes
font_01_sfnt_off0000feff.bin
cbac120d1d47f165ad50049c6a8ea0cd0271694ce4fd9f8b36db57708543e081		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEFF 11164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.