Malicious PDF — malware analysis report

Static analysis result for SHA-256 53732e5353b1c163…

MALICIOUS

PDF

74.7 KB Created: 2021-03-20 04:49:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aa878c5ec9cf4d9f3e55af35df15486a SHA-1: 99de6151b43d5257f517edbd3240ceb5553e26a5 SHA-256: 53732e5353b1c1630a3b4ddf4f9a1034325384c0cd1f2f930c8f354a1cd47ff2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the presence of an external URI suggests the document is designed to redirect the user to a malicious site, potentially for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=return+man+2+zombies+unblocked+66
    • http://zebrait.fun/nalufobozazizalajap9gatl.pdf
    • https://cdn-cms.f-static.net/uploads/4463824/normal_5fd159babd7be.pdf
    • http://ru-order-687646765445.art/book_a_table_guide_michelinp6f39.pdf
    • https://lisopivoxo.weebly.com/uploads/1/3/4/9/134901835/zaduzonutoxa.pdf
    • https://cdn.sqhk.co/xojelumegasi/eigjMjb/guide_for_free_fire_2021_january.pdf
    • https://cdn.sqhk.co/natokaze/gUIggib/dead_target_zombie_shooting_game_mod_apk.pdf
    • https://nojasiputijaze.weebly.com/uploads/1/3/4/8/134869787/dunabe_nolat_gifalav.pdf
    • https://cdn-cms.f-static.net/uploads/4454300/normal_605340cc8e50b.pdf
    • https://cdn-cms.f-static.net/uploads/4447095/normal_6055302e93000.pdf
    • https://cdn.sqhk.co/duzupafuj/fjgiaDN/jevurizuki.pdf
    • http://gijasigekafafuz.iblogger.org/build_my_life_housefires.pdf
    • https://kixifosesezor.weebly.com/uploads/1/3/3/9/133998007/sakugejipove.pdf
    • https://lolejubabam.weebly.com/uploads/1/3/1/3/131379737/temosuvezoxiji.pdf
    • http://naturmilans.fun/the_non-designers_design_book_4thgr98l.pdf
    • http://yewes.space/477143997192t07e.pdf
    • https://cdn.sqhk.co/batumozi/Yyicihg/autonics_panel_meter.pdf
    • https://cdn-cms.f-static.net/uploads/4460230/normal_6023dddae74cc.pdf
    • https://cdn-cms.f-static.net/uploads/4370092/normal_60281469f3c97.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/warapagefasovi/viwajudawizuxizumo.pdf
    • http://jepuxaribizoze.rf.gd/cantilever_slab_reinforcement_details.pdf
    • https://s3.amazonaws.com/rubidokezive/kabiwipopab.pdf
    • https://s3.amazonaws.com/fixararololu/vegas_pro_14_free_64_bit.pdf
    • https://s3.amazonaws.com/nuxomigo/bodyboss_nutrition_guide_free_download.pdf
    • https://s3.amazonaws.com/zafijukopa/super_mario_land_3_snes.pdf
    • http://bexovaxi.epizy.com/ruvukedonapi.pdf
    • http://kebegejuk.rf.gd/pivigewexodikebafogom.pdf
    • http://dejanubotikepiw.rf.gd/legends_of_runeterra_card_template.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e6d3.bin
3e2ffbed12c5c2b9f634479e6e5eea8fa2073246f3b74ea3b066ab710794270a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6D3 5632 bytes
font_01_sfnt_off0000f9ea.bin
83c08253af066b89d5046b3c45854b29409c44ee43c6394dd5e797e60a19968e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9EA 10324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.