Malicious PDF — malware analysis report

Static analysis result for SHA-256 45e6e970c3c01b35…

MALICIOUS

PDF

83.6 KB Created: 2021-03-16 13:20:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e77d49ba2c53bcf51d595b93a458047 SHA-1: 19cb352ce2b09b9e833f068cf5e6fc91c50912ef SHA-256: 45e6e970c3c01b35969eada4401e655a772f5794943aa80d2eaa23e07fe07cf1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains embedded URLs that point to external resources, likely phishing pages, as suggested by the 'PDF_URI' heuristic. Although no scripts were explicitly extracted, the 'ML_NYX_PDF_MALICIOUS' heuristic and the presence of multiple suspicious URLs suggest the PDF is designed to redirect users to malicious sites, potentially for credential harvesting or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/award?keyword=accidente+cerebrovascular+causas+pdf
    • http://docita.fun/18999405247brtwq.pdf
    • https://static.s123-cdn-static.com/uploads/4475582/normal_5feff30f6f535.pdf
    • http://slmit.space/jalupemurofezoxogarejenun.pdf
    • http://quickstore.pro/quantum_chemistry_levine_7th_editionn0bqi.pdf
    • http://pristav.pro/suwofujidouca8.pdf
    • https://cdn-cms.f-static.net/uploads/4408355/normal_601b0885569f8.pdf
    • https://static.s123-cdn-static.com/uploads/4489409/normal_5fdf5b4f8bb45.pdf
    • https://cdn-cms.f-static.net/uploads/4417535/normal_5fd64af6d615a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://velevemi.epizy.com/reboz.pdf
    • https://uploads.strikinglycdn.com/files/fcd2562e-d34b-4911-b83b-4adaf5a48df9/how_to_adjust_pressure_on_bostitch_nail_gun.pdf
    • https://s3.amazonaws.com/jukezeluf/cisco_router_dhcp_client_config.pdf
    • https://uploads.strikinglycdn.com/files/9084d42c-0efa-4906-b562-1c5b4fff91db/what_does_it_cost_to_kill_an_elephant.pdf
    • https://uploads.strikinglycdn.com/files/231bbc98-3131-49d0-a0f0-d2eb428af8be/bijibi.pdf
    • https://s3.amazonaws.com/fekaduvopigab/bozifexevarabepuxupemin.pdf
    • http://jefesipi.rf.gd/nothing_is_better_than_you_meaning_in_tamil.pdf
    • http://bezopiwuzalobit.rf.gd/fimekuromuxotusukuke.pdf
    • https://uploads.strikinglycdn.com/files/b285b374-c298-4b71-8755-8b215d4fb596/how_much_is_krav_maga_training.pdf
    • https://uploads.strikinglycdn.com/files/516e9da4-f745-47f5-a030-d1183a8af2cc/52677473325.pdf
    • https://uploads.strikinglycdn.com/files/7161a44a-fa10-4acf-b786-3bfc7f58752a/28788710426.pdf
    • https://uploads.strikinglycdn.com/files/5b766d89-7016-4c58-ac0b-f26fd8b2ac88/how_to_find_the_end_behavior_without_graphing.pdf
    • https://uploads.strikinglycdn.com/files/27ee481f-c6c0-481f-bdd4-145b13d787ca/words_of_encouragement_for_new_mom_returning_to_work.pdf
    • https://s3.amazonaws.com/pajukovuxetu/70172362301.pdf
    • https://uploads.strikinglycdn.com/files/9cd9812d-573f-4c09-ab63-f49b1eb1a6ee/80039511828.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010531.bin
e5451c75d9b5bede2960af160363061baa338cfa7abf746aa3ef1bced9f2cae0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10531 5340 bytes
font_01_sfnt_off0001176a.bin
32a94a6729a5d86f8151f75a5496f8fd177812f8bad6f83c4fa5da4d7e7e40af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1176A 12288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.