Malicious PDF — malware analysis report

Static analysis result for SHA-256 5291d8137603ee2e…

MALICIOUS

PDF

80.1 KB Created: 2021-04-08 16:03:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5d49bed33de4e594b178e019c9a886fc SHA-1: 7733302739ebf73d7d6b76e7510f1808a014e869 SHA-256: 5291d8137603ee2eccdb77da9832744a6d2117608e217c7c2545039d983d3359
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, identified by ML classifiers and ClamAV as malicious. The document body, though heavily obfuscated, appears to contain metadata related to its creation, suggesting it's a wrapper for a malicious link rather than legitimate content. The presence of external URIs strongly indicates an attempt to redirect the user to a phishing or malware download site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=3+estates+of+france+french+revolution
    • https://cdn.sqhk.co/rewakevutel/Nji73lq/escape_50_rooms_6_level_6.pdf
    • http://pokezokebawi.mygamesonline.org/resumen_de_las_28_creencias_adventistas.pdf
    • https://cdn.sqhk.co/luxixumogez/1jagiE5/groupme_black_and_white_icon.pdf
    • http://patajafurep.mywebcommunity.org/bojowato.pdf
    • https://cdn.sqhk.co/zawileveruz/eib8jak/zikaragulamu.pdf
    • http://dakisemakegag.sportsontheweb.net/ford_4500_backhoe_parts_manual.pdf
    • https://cdn.sqhk.co/jafetegupam/jjBTAmn/ice_cream_rome_tripadvisor.pdf
    • https://cdn.sqhk.co/vikoparif/Xifihha/old_phone_keyboard_name.pdf
    • https://wufipalowev.weebly.com/uploads/1/3/4/5/134595621/sejaz.pdf
    • https://lodobapidadisu.weebly.com/uploads/1/3/1/1/131164557/3696263.pdf
    • https://lajutiruwogow.weebly.com/uploads/1/3/4/5/134585316/kuluriparufo.pdf
    • http://jidokove.scienceontheweb.net/volkswagen_beetle_2020_manual.pdf
    • https://dewufore.weebly.com/uploads/1/3/4/8/134857007/siwudululup.pdf
    • http://linodogeb.scienceontheweb.net/lajisidesejurud.pdf
    • https://dupudebokuvufex.weebly.com/uploads/1/3/2/3/132303235/gamututifako.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://ligoroxenafof.atwebpages.com/83062505201.pdf
    • https://s3.amazonaws.com/bodajaku/wow_classic_alchemy_leveling_guide_alliance.pdf
    • https://c216880a-03a2-4774-ab7e-121c93799e8f.filesusr.com/ugd/b5aed9_debe215ef67b46d9b2a249d6821aa005.pdf?index=true
    • https://61249681-e2d1-4375-841a-b3723294d79c.filesusr.com/ugd/3d514e_859b9de033e044df8f1cf396f0120c44.pdf?index=true
    • https://598a1783-db1d-4ebb-96f5-d3ad23e1e090.filesusr.com/ugd/ae99eb_d06dd36fda0a4df6b4d0c83112c148fa.pdf?index=true
    • http://jowawaba.atwebpages.com/is_kovu_scars_real_son.pdf
    • https://s3.amazonaws.com/jepinebawo/safari_webarchive_for_windows.pdf
    • https://s3.amazonaws.com/penale/wupatinokoxobodez.pdf
    • https://s3.amazonaws.com/nafamaragisek/how_much_do_you_make_in_supply_chain_management.pdf
    • https://61df3396-90b5-4b69-a3ae-475c9da6ebc5.filesusr.com/ugd/516574_75bc4b4927cc41cd959082b3116fe456.pdf?index=true
    • https://s3.amazonaws.com/padosumifubobo/pisiwanazado.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec52.bin
d18808d678f89f080e3bcf005d9396e7f7104e2e845ba693a52917e3e6291308		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC52 4980 bytes
font_01_sfnt_off0000fd35.bin
369a96b1f5a6504b8a4fdd61936a6de8595ee66ad68b9a008d7466b69e991c4b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD35 11208 bytes
font_02_sfnt_off000122d0.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122D0 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.