Malicious PDF — malware analysis report

Static analysis result for SHA-256 4850967c22790a74…

MALICIOUS

PDF

372.4 KB Created: 2021-06-15 12:03:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fb84d5b52c6a09befe49b4d513db9c94 SHA-1: e31e1c03cd5eda2c7d9a05bc9974146df2d36409 SHA-256: 4850967c22790a745d5d2f4e9f269c449b619337bacdde817eccfac8d115056b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URI pointing to a suspicious URL, which is likely used as a lure. The document body, though heavily obfuscated, suggests a theme related to 'Mehndi ka photo design', indicating a potential phishing or social engineering pretext. No scripts were extracted, but the presence of embedded URIs and the overall detection suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9676

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/pbw?utm_term=mehndi+ka+photo+design
    • https://boxomuti.weebly.com/uploads/1/3/4/0/134016719/julimijuxuv.pdf
    • https://cdn-cms.f-static.net/uploads/4480170/normal_60be715d61bec.pdf
    • https://kuvuwivozud.weebly.com/uploads/1/3/6/0/136091804/lilupesiwinabefu.pdf
    • https://wuzitefagoxu.weebly.com/uploads/1/3/1/8/131856046/jasakawodekoniba.pdf
    • https://katifakemu.weebly.com/uploads/1/3/1/3/131381151/a004a5c7.pdf
    • https://cdn-cms.f-static.net/uploads/4483082/normal_605b1e9913436.pdf
    • https://biditojutorosas.weebly.com/uploads/1/3/4/6/134657596/mileka.pdf
    • https://cdn-cms.f-static.net/uploads/4487902/normal_6068e10a5a87a.pdf
    • https://sakaromef.weebly.com/uploads/1/3/4/5/134507496/xusokikibig.pdf
    • https://wujezevo.weebly.com/uploads/1/3/0/8/130874127/1c1ca8149d8bff4.pdf
    • https://bitiwinelezom.weebly.com/uploads/1/3/1/8/131856531/xasuxo.pdf
    • https://kewidavarij.weebly.com/uploads/1/3/4/6/134696647/filubij.pdf
    • https://jadufebifov.weebly.com/uploads/1/3/4/6/134627690/9905957.pdf
    • https://static.s123-cdn-static.com/uploads/4465149/normal_5fe530b91578e.pdf
    • https://static.s123-cdn-static.com/uploads/4370294/normal_6001389f0fc9a.pdf
    • https://jumifusat.weebly.com/uploads/1/3/4/6/134629025/tugusag-gonubezawo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/505d81b3-c7bb-4d39-ad7d-44e430d1e75e/concordancia_nominal_exercicios_com_gabarito_9o_ano.pdf
    • http://petapek.pbworks.com/w/file/fetch/145202418/51590643520.pdf
    • https://uploads.strikinglycdn.com/files/43126f1b-99b3-4af0-984c-e9243b27214c/sketchup_software_free_download_64_bit.pdf
    • https://uploads.strikinglycdn.com/files/3e9fa631-fd18-4620-b440-45ec27440791/1814337006.pdf
    • https://uploads.strikinglycdn.com/files/e7a822da-679c-4965-8c1a-11b9fe70256a/zebiribi.pdf
    • http://rijunepupuja.pbworks.com/w/file/fetch/144937347/suzuki_piano_book_2_sonatina_in_g_major.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005866b.bin
8c5bb326f87ff4285d12ac95a659ab9d2fb9f3b3f4689c2745eedcd73ee0d946		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5866B 5160 bytes
font_01_sfnt_off00059802.bin
8884e14a04abc3fa73455e8b164b004a11a3bd93d19e1d4cec2cd4b9651f2978		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59802 12220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.