Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b122cbe857655cb…

MALICIOUS

PDF

150.6 KB Created: 2021-03-22 18:05:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 444f7ac090c6c6b2cab59a8b32ffe7a8 SHA-1: 83e113fca8d6f08c8aa30bf43b0065550b1397d6 SHA-256: 4b122cbe857655cb3e763edc82a6aa7409958d1de72484c5e3b994cb9a71052d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URL that appears to be a lure, disguised as a search result for educational material. While no scripts were explicitly extracted, the PDF format often utilizes JavaScript for malicious actions, and the presence of external URIs strongly suggests an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/123?utm_term=minna+no+nihongo+pdf+answers
    • https://wogalipa.weebly.com/uploads/1/3/4/3/134316604/9033982.pdf
    • https://static.s123-cdn-static.com/uploads/4402710/normal_5ff1de3b1c054.pdf
    • https://cdn.sqhk.co/fefamuve/siag6Ga/world_cup_2026_tickets_on_sale.pdf
    • https://cdn.sqhk.co/mugejufunij/jQIgcf7/gladiator_vr_game.pdf
    • https://nedotumawu.weebly.com/uploads/1/3/4/6/134626041/2071049.pdf
    • https://xuxamiwi.weebly.com/uploads/1/3/4/6/134624415/c60dd14f07777.pdf
    • https://cdn-cms.f-static.net/uploads/4460460/normal_6023d0b1e1a78.pdf
    • https://static.s123-cdn-static.com/uploads/4377379/normal_600069c2b79f9.pdf
    • https://cdn-cms.f-static.net/uploads/4373749/normal_603952006fc14.pdf
    • https://cdn.sqhk.co/divekezor/gRgggc9/ftdi_vegetarian_meal_plan.pdf
    • https://cdn.sqhk.co/xugumewaz/hcUyghb/asana_pranayama_mudra_bandha_amazon.pdf
    • https://cdn-cms.f-static.net/uploads/4470964/normal_601647db7fd2e.pdf
    • https://cdn.sqhk.co/pajerelo/gjwQgdY/adobe_photoshop_sketch.pdf
    • https://nituxokijawagez.weebly.com/uploads/1/3/0/9/130969825/460da1d9cf.pdf
    • https://cdn-cms.f-static.net/uploads/4481527/normal_600d634d922ff.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c1d179fc-ef72-44db-9ab8-0834b4af1c5d/what_is_internal_control_system_in_auditing.pdf
    • https://uploads.strikinglycdn.com/files/0b5a7899-a57d-4140-915d-9789dbdf253e/icom_ic_756_pro_iii_mods.pdf
    • https://uploads.strikinglycdn.com/files/83775930-dd43-47e2-b611-53b76096394b/how_to_light_a_lopi_wood_stove.pdf
    • https://uploads.strikinglycdn.com/files/540d619d-5e82-456b-abbb-9a750b84f065/6515787887.pdf
    • https://uploads.strikinglycdn.com/files/8a4f9168-3cea-4a54-a80c-3b092b2b9806/oster_large_toaster_oven_walmart.pdf
    • https://uploads.strikinglycdn.com/files/ce9d364e-bc3b-4bf6-9717-4dac9c1b8a9a/zonurubajoki.pdf
    • https://uploads.strikinglycdn.com/files/997ab9a5-0440-4373-acb0-c33eb4ce4710/gonawebojizapitori.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001128a.bin
048fb1891f432488516cd811e7b04d68e7d39e548ca3495625137f8fb0c23ff4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1128A 6744 bytes
font_01_sfnt_off0001233f.bin
bdbacf6f7d2179fdfcd9c4eeb9f66f07a3ad4dec739566dfb153bbf6286ee5f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1233F 72876 bytes
font_02_sfnt_off0001ff25.bin
dc767fba913a64edaa26c45c9845c9f3e2809059c2ad9e3897d72010d63b6055		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FF25 5368 bytes
font_03_sfnt_off00021189.bin
ceddc334bb7821b6bffb1e58fb1ef4a383495654f926c1aeb25888fe461be7ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21189 10724 bytes
font_04_sfnt_off0002367f.bin
a7731fb79cdcd5f3d5b74c8bd58fa9d3b9375a8aebc124cc8ada2999840edf65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2367F 16240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.