Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a09c5caf6d415b5…

MALICIOUS

PDF

83.2 KB Created: 2021-03-25 14:39:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cbea3b478d23977a1965134b1018ab15 SHA-1: 980b58e0743542b118bacfa0cef7c98bca038bb1 SHA-256: 4a09c5caf6d415b589f0d236e9b755d8597910bc29c854fdb2972e41013b3949
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged as malicious by ML classifiers and ClamAV. It contains an embedded URI pointing to a suspicious domain, disguised with a seemingly innocuous keyword. The PDF structure and embedded content suggest it's designed to trick users into visiting a malicious site, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=minions+worksheets+printable
    • http://academic-club.ru/2020_bmw_x64e20p.pdf
    • https://static.s123-cdn-static.com/uploads/4420025/normal_60099736079c4.pdf
    • https://cdn-cms.f-static.net/uploads/4493602/normal_6012569e7fda3.pdf
    • http://sallles.ru/74855003981793md.pdf
    • https://cdn-cms.f-static.net/uploads/4416143/normal_6049be6083dbe.pdf
    • http://lnstagram-copyright-supports.com/37904099251vha09.pdf
    • https://static.s123-cdn-static.com/uploads/4494452/normal_6009490b3a7cd.pdf
    • http://good-production20.site/nexigoncwnvz.pdf
    • https://cdn-cms.f-static.net/uploads/4409246/normal_6033766a463a7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://6762652a-e869-40f3-960d-1446d4066230.filesusr.com/ugd/55e6b1_ab40c5e022ef4d859b6495e232b67b31.pdf?index=true
    • http://vajonaz.epizy.com/60346654223.pdf
    • https://uploads.strikinglycdn.com/files/84416e28-8fe4-4ac9-acfa-42c239556aca/the_theory_of_differential_association_and_juvenile_delinquency.pdf
    • https://uploads.strikinglycdn.com/files/54a94e91-52d1-48a2-8b57-54e618bc1236/49637293663.pdf
    • https://1dab3517-3db0-43ff-9fd6-b65b51f65b60.filesusr.com/ugd/565485_731492bbd7b1473d93906a09367e9fc0.pdf?index=true
    • http://kenubuw.epizy.com/abrao_de_pai_walmir_alencar.pdf
    • https://uploads.strikinglycdn.com/files/fedcdf8e-c67e-48f7-84a7-f7e7618cf198/what_does_a_blinking_red_light_on_a_panasonic_tv_mean.pdf
    • https://32e47638-7206-44c1-ad53-5c6f9176402e.filesusr.com/ugd/e00742_1bcd1cc38827422294cd7a6ba6086d99.pdf?index=true
    • https://178c1879-e916-404b-9861-a2431bd0f83a.filesusr.com/ugd/1aace6_26f8351317684275b00f864786c014b4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/69f0ff7c-7f38-491c-b484-f2a13f150ef3/segalal.pdf
    • https://76ed6b59-b034-43ac-b949-e1c08f76e3cb.filesusr.com/ugd/ee6100_254c9f1894ff4fc8b4094a830802bdd8.pdf?index=true
    • https://a1c9bafd-2917-4c1b-b79c-a4b44a941470.filesusr.com/ugd/f0f215_665dc4c4fd184ea59ec313c301e958d7.pdf?index=true
    • https://6c639bf1-704a-4500-b661-329758898742.filesusr.com/ugd/02d620_45c9b6f8392c4ebfbb2ef05b64f219f6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/33acc74b-5222-4503-bf98-7093a7ec4e6f/cognitive_psychology_theory_process_and_methodology_free.pdf
    • http://xeduniramabal.rf.gd/acca_f9_past_questions_and_answers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f933.bin
91e4f59bad6fc896d5718e076edcd5630618d3e33351fed7ea58d5a32f61c383		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF933 4996 bytes
font_01_sfnt_off00010a2c.bin
6bbabfa082fe48b942a0651195187781bccf14b7be348e73910be8379a15eb80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A2C 11060 bytes
font_02_sfnt_off00012fac.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12FAC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.