Malicious PDF — malware analysis report

Static analysis result for SHA-256 54a657c3bf2c69fd…

MALICIOUS

PDF

122.7 KB Created: 2021-03-23 17:55:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ba97f563ce43c137374492d784e9fa1 SHA-1: 730518e7ceca113e922db44b3161f042467bbb09 SHA-256: 54a657c3bf2c69fd2c21a8329d784d49090a1f8c6b9f33983e0a3b9448ae0cfe
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains an embedded URL that points to a suspicious domain, likely intended for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the presence of an external URI and the overall classification suggest an attempt to redirect the user to a malicious site, possibly for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=how+to+understand+math+easily
    • http://kinemulawaw.sportsontheweb.net/madato.pdf
    • https://cdn-cms.f-static.net/uploads/4500904/normal_6051e7428b11b.pdf
    • http://mujabelor.mywebcommunity.org/kadivobegovotojupad.pdf
    • http://nizavevorupuj.mywebcommunity.org/south_carolina_drivers_license_practice_exam.pdf
    • https://static.s123-cdn-static.com/uploads/4404488/normal_5ff038fecec93.pdf
    • https://cdn-cms.f-static.net/uploads/4482228/normal_601e747a296ca.pdf
    • https://cdn-cms.f-static.net/uploads/4407986/normal_6018560fc9100.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vodobugatusexa.epizy.com/1st_rank_raju_kannada_film_songs.pdf
    • http://lufevexos.atwebpages.com/linux_administration_mumbai_university.pdf
    • https://s3.amazonaws.com/vatakefojunib/chem_1_review_sheet.pdf
    • https://s3.amazonaws.com/lizuseguwix/begopuvines.pdf
    • https://s3.amazonaws.com/puretulenuza/blank_board_serializer.pdf
    • https://s3.amazonaws.com/sisaxu/interpretation_of_financial_statements.pdf
    • http://zirutabu.myartsonline.com/calendario_noviembre_2020_mexico.pdf
    • http://madanekobovuge.epizy.com/11030725645.pdf
    • https://s3.amazonaws.com/tajimipojimo/ganabo.pdf
    • http://rijemow.onlinewebshop.net/519472782.pdf
    • http://komoxam.rf.gd/cracking_codes_with_python_book.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016eb4.bin
62deedb54aaef669db635f4ef87d4bda5d475a8bf20633d6b56d9e4ab12fd410		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16EB4 6416 bytes
font_01_sfnt_off00017e89.bin
06718d9baa9d61d65d78363877c1bdd8d1e830ab9c977752a48a62bf120a5c81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17E89 5220 bytes
font_02_sfnt_off00019029.bin
bea2bba35ccd42c435f82bf4375d998ceef9a01471ffbdc4bdce19650bec9ea7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19029 2896 bytes
font_03_sfnt_off00019b73.bin
c193adaa07702bd336c3365dab6330a172e7992a7673d52e2cc65eb1b8993f1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19B73 12480 bytes
font_04_sfnt_off0001c5b8.bin
e2237bcfba2ad8a8c6238a86fe0fbf220db2b991d1f402b1dc0856d9f6c5f988		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C5B8 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.