Malicious PDF — malware analysis report

Static analysis result for SHA-256 44ed842303bac5bf…

MALICIOUS

PDF

79.5 KB Created: 2021-03-23 02:30:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: f4107b53fc072c565809edad1d96a7b0 SHA-1: 57bdb489ac24470521f83fbe9f93229bb3560612 SHA-256: 44ed842303bac5bfef2dc00347f25e03285db06a84e5be418a26515189c17f96
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a high-confidence ML classifier and ClamAV, indicating malicious intent. It contains an embedded URL that masquerades as a search result for a legal document, likely serving as a lure to a phishing site or a download location for further malicious payloads. The PDF structure itself does not contain readable content, suggesting it is primarily a container for malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/wix?keyword=mcculloch+v.+maryland+%25281819%2529+elements+of+the+case+worksheet+answers PDF link annotation
    • http://misstourist.info/vilezaqgzjw.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4505358/normal_5ffad405f3463.pdfIn PDF document text
    • https://cdn.sqhk.co/novigigexuxo/Jjciana/wuteta.pdfIn PDF document text
    • http://bogplaktnc.fun/64653672795pb99.pdfIn PDF document text
    • https://cdn.sqhk.co/libobivole/icggjfR/wifubote.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4480412/normal_5fdffd8e476b5.pdfIn PDF document text
    • https://cdn.sqhk.co/febowozefu/giicscp/grand_piano_for_child.pdfIn PDF document text
    • https://cdn.sqhk.co/vasinabew/pjcOUgf/nintendo_switch_online_cost_uk.pdfIn PDF document text
    • http://soul-felt.com/tozogiwuluwonefezkneaj.pdfIn PDF document text
    • https://cdn.sqhk.co/mozedizupi/iibhijf/indonesia_drag_bike_racing.pdfIn PDF document text
    • https://cdn.sqhk.co/rawejefipemi/3vbhccT/cnc_machine_for_wooden_signs.pdfIn PDF document text
    • https://cdn.sqhk.co/tuwesedujila/ijehbRi/lavivutojugemomejobog.pdfIn PDF document text
    • https://cdn.sqhk.co/gomurabog/jXKKjiW/pixel_gun_3d_online_generator_free.pdfIn PDF document text
    • https://cdn.sqhk.co/genazeres/XRp3hjL/formal_vs_informal_english_worksheets.pdfIn PDF document text
    • https://cdn.sqhk.co/vibebexez/wD6jeIA/senior_citizen_word_games_for_seniors_printable.pdfIn PDF document text
    • https://cdn.sqhk.co/pijovowifil/d6jcuig/mx_player_app_not_installed_error.pdfIn PDF document text
    • https://cdn.sqhk.co/fofotixoz/geYugis/4th_grade_learning_games_online_free.pdfIn PDF document text
    • https://cdn.sqhk.co/siboxowimu/7ievhfC/puredolonewar.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4403818/normal_5fc5c64e2cf00.pdfIn PDF document text
    • https://cdn.sqhk.co/nasanoroge/Pq3TjfU/uncertainty_principle_example.pdfIn PDF document text
    • https://cdn.sqhk.co/nawamuzimosu/p4j0WQK/64306623239.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/39e83a74-950d-41e3-9bfa-da10831ab90c/magnus_chase_the_sword_of_summer_audiobook.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8047820e-de5f-4d73-afb9-b02fd206b762/coleman_lantern_228e_parts_diagram.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0fa9ce31-93e4-4d4f-8115-a0b4c06910f6/solo_parent_leave_2019_dole.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6195e7fe-bf2c-414a-a365-6c460e185f1b/will_i_find_true_love_tarot_spread.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cff38ad7-8870-4538-a1e3-7ffa4d223068/fajit.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f509.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF509 6172 bytes
SHA-256: eed61e5a2d3ad01947e1a3de4dbea35d0c33155429d0633884262f7c1bb5e203
font_01_sfnt_off00010a1e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10A1E 11060 bytes
SHA-256: 7ee5e58e2335a51608761feb9b2543d7baebdeca1e03a99d8c85c9a5ac23679c