Malicious PDF — malware analysis report

Static analysis result for SHA-256 4751fa249e1aeb1a…

MALICIOUS

PDF

87.0 KB Created: 2021-03-18 07:18:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 623266198c306a1d2de86426ce5bb803 SHA-1: 593b3993ea39f1d6f50e06bf9ce0be55cd6cca18 SHA-256: 4751fa249e1aeb1aae95d80b278e3da5de02f4fe889e5c52af032b49d19e8093
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that is flagged as malicious and associated with phishing. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, contains keywords related to certificates and download lures, suggesting a phishing or social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=bonafide+student+certificate+pdf
    • https://cdn-cms.f-static.net/uploads/4424672/normal_60466ab15655f.pdf
    • https://cdn-cms.f-static.net/uploads/4451744/normal_5fd78e0fb9f00.pdf
    • https://static.s123-cdn-static.com/uploads/4446770/normal_5fccb751cdb42.pdf
    • https://cdn.sqhk.co/lapitobexeva/jhhj5rP/fibux.pdf
    • https://cdn-cms.f-static.net/uploads/4428341/normal_60349a9ccbe46.pdf
    • https://cdn.sqhk.co/molodomo/dmBmpBW/cute_among_us_live_wallpaper.pdf
    • https://cdn.sqhk.co/sevijeruba/es2pjok/64832883862.pdf
    • https://lewixixidofuj.weebly.com/uploads/1/3/4/3/134393564/vubesegofolofiw_vawagoxab_pugexuba_vomerexagufogo.pdf
    • https://dakufosaxem.weebly.com/uploads/1/3/4/7/134771611/b83849371f5866.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://tomosuromiv.epizy.com/36106997053.pdf
    • https://246406bc-bb0d-4f29-baed-d8a6153a9543.filesusr.com/ugd/3ddeef_d101a1103bd446fbbba791e6b642a225.pdf?index=true
    • http://dafifaxotodaraw.epizy.com/43281655719.pdf
    • https://8d67285a-e3c5-4820-bb1a-bb91ce1079a6.filesusr.com/ugd/d54300_8d3a580b08da46739302e334f6288ed2.pdf?index=true
    • http://gituloropo.rf.gd/vosawumibixilis.pdf
    • https://cb70cc59-2297-49c3-b7e2-2ac7e26e28d4.filesusr.com/ugd/4479ed_9137a4c7775442e2b8c156ff0e8eba1b.pdf?index=true
    • http://lugaderova.epizy.com/sas_urban_survival_guide_apk.pdf
    • https://153f2bed-3501-4ec5-9468-ed1987511f6d.filesusr.com/ugd/f67134_50e5e1eab0a141f1aaba5e2c1bbd540e.pdf?index=true
    • http://xakitidopapav.epizy.com/excel_sheet_separator_free.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010718.bin
54739e7877065ca2f5e5d1ff1ad9d5f26b58271d932da3d1176206595c2c9f32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10718 5164 bytes
font_01_sfnt_off000118c2.bin
52490ca9b86dd1a47c45188baac46f3d915aa8b676c2045964ca408c64f22286		 pdf-font-stream PDF embedded font (sfnt) at offset 0x118C2 12000 bytes
font_02_sfnt_off000141bf.bin
2573663731bd43408ba2f021839d35c95f105c70180fb649f07e447f7f39196e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x141BF 2808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.