Malicious PDF — malware analysis report

Static analysis result for SHA-256 5451af201cba49ca…

MALICIOUS

PDF

174.8 KB Created: 2021-05-06 22:35:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 52d5b4d08c6d6b3dc5b92d60ea67674d SHA-1: 75e6897620c379cc81188bea0b7adfa5eb6fe9a2 SHA-256: 5451af201cba49ca850d8f47314786fd3a825102f7b4b88f2c51761a2e0a09e1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an external URI pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The document body, though heavily obfuscated, suggests a lure related to camera models, likely intended to trick users into visiting the malicious URL. No scripts were extracted, but the presence of external links and the ML classifier's high confidence indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=sony+a6500+vs+a6600
    • https://cdn.sqhk.co/goganededem/d2ieiid/bts_dynamite_remix_release_date.pdf
    • http://italywow.info/186018547nn08l.pdf
    • http://wacc-cat.org/wizidowejigiihhw.pdf
    • https://xuvuvigaxopezut.weebly.com/uploads/1/3/4/7/134721928/6d22122150.pdf
    • https://widedajixefur.weebly.com/uploads/1/3/5/3/135312737/nesemoxonesunatofufo.pdf
    • http://jarisudowapebi.sportsontheweb.net/8th_grade_science_worksheets_with_answer_key.pdf
    • http://virona.org/is_jelly_beans_good_for_toddlerse5vsv.pdf
    • http://fionainthefield.org/7749321134712kxg.pdf
    • https://vozunekoba.weebly.com/uploads/1/3/4/9/134902797/bb147a42385a.pdf
    • http://nageramuvepom.mywebcommunity.org/study_bible_download_for_android.pdf
    • https://cdn.sqhk.co/ruwonumatag/jahjzja/juicy_fruit_gum_commercial_song.pdf
    • http://reveruverof.medianewsonline.com/25615606409.pdf
    • https://cdn.sqhk.co/jawosuzexe/qihFcQl/74509414469.pdf
    • http://regsenatvumen.website/the_virtue_of_selfishness_critiqued15me.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/a5a275d0-6a3b-43e9-9950-36e07021da46/vagijiwatizinip.pdf
    • https://c4bedd8b-a3e9-4aa8-9751-a6fde4035b7e.filesusr.com/ugd/037f08_411f128e8c7d477181a3b3a68512a1de.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8d793f0b-7a9b-4b0c-9c31-334c50bbe3e3/where_are_all_the_brandy_melville_locations.pdf
    • http://wegorabeg.atwebpages.com/adjective_pronoun_exercise.pdf
    • https://uploads.strikinglycdn.com/files/8ca0048f-700b-4dd3-bfc2-c9e0e05a3850/how_to_greet_someone_in_latin_america.pdf
    • https://5862e4ea-63a6-4c92-af93-e06d02d1a664.filesusr.com/ugd/eaa371_ced21b396fb4402897a603d3d201daa2.pdf?index=true
    • https://45dcde1a-aed5-4138-b95e-a0f768a283bf.filesusr.com/ugd/89441e_303edc1af67a4c798797647c92e448cf.pdf?index=true
    • https://6ec3981f-6443-463b-a164-91fc69f101d9.filesusr.com/ugd/7603ae_c5996f8e75c240e0a68fdea4f9c95571.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00021478.bin
0bc7911154ef3d6e9a27e7bd2079132d4cd1cd39ac07e99fa86cd22532b25481		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21478 18152 bytes
font_01_sfnt_off00024f3a.bin
37d602ebd5306e950cd8dad515e4c2ec51fcd468efdb5900954d4dac3804e95b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24F3A 4780 bytes
font_02_sfnt_off00025f70.bin
7289b2328b4395a5c5ea283f644a55e464db2263a21ebb1c001e9bc536431b8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25F70 12172 bytes
font_03_sfnt_off0002892e.bin
541fa2b6826b0add99b7d5a173ef1e6a5567607b5192f75b810eb17d6a563501		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2892E 16204 bytes
font_04_sfnt_off00029e5c.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29E5C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.