Malicious PDF — malware analysis report

Static analysis result for SHA-256 56425b774e3f60e5…

MALICIOUS

PDF

171.2 KB Created: 2021-03-22 14:15:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d8f5868db1e7012231c3e20f87103db8 SHA-1: 50a4f4c1c3ecdce9ec50fb5e09ce83a1a1c2450b SHA-256: 56425b774e3f60e5444d204a4cdd0c873469fbb9f9664db3e84fa9cc1e285948
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing an embedded URL that points to a suspicious domain, identified by heuristics as an external URI and an embedded URL. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware delivery. Although no scripts were explicitly extracted, the presence of embedded URLs in a PDF commonly serves to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=rtc+medical+transportation
    • http://fusizexa.22web.org/doing_bayesian_data_analysis_amazon.pdf
    • http://paxomiratu.iblogger.org/kamitawoxotuxixalanubopa.pdf
    • http://zilakagu.22web.org/21777410366.pdf
    • http://cheapkeys.site/tanojektn8y.pdf
    • http://vkysnaya-eda.site/conduct_detrimental_to_the_leagueucxzs.pdf
    • http://jududijixemuvov.22web.org/pitalunadunuwiwigol.pdf
    • http://webuzudinu.iblogger.org/branchial_cyst_surgery.pdf
    • https://cdn.sqhk.co/xadeviro/jikgjWP/fonijar.pdf
    • http://boviriso.22web.org/binkw32._dll_for_gta_iv.pdf
    • https://cdn.sqhk.co/sesijisova/gjgjgeU/storm_iowa_today.pdf
    • https://cdn.sqhk.co/nowovadizeb/fjejigh/butobopiwed.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://0ecef3a8-5193-4df1-8dcb-1b7dd0f2be2a.filesusr.com/ugd/e6092c_30754c2c8ed04433a517b12364db874c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2c5beec4-6514-41f1-b418-84103c8b445a/60935564053.pdf
    • https://uploads.strikinglycdn.com/files/34b1245e-6df7-43c9-89c1-4f8c81fe48fe/tofulizajo.pdf
    • http://zetakid.rf.gd/calculator_for_ipad_air.pdf
    • https://1f571a09-6495-4108-bd1a-9715deae29b5.filesusr.com/ugd/b0bf26_f0f19bc1ff7147de92edc6cdd9de2c8e.pdf?index=true
    • https://bb209e34-24c3-4901-88bd-c00af8cda710.filesusr.com/ugd/de6798_e66afa6f967b4a8ea49410c17ef321c1.pdf?index=true
    • http://tetozidix.rf.gd/favudewaf.pdf
    • https://uploads.strikinglycdn.com/files/8afc7080-5d7c-43aa-a685-92c4d09e4cfe/kerovisakidimemuzisijoj.pdf
    • https://uploads.strikinglycdn.com/files/d29dc6ff-f4b8-48a2-8fd4-69d1a8259914/38489299308.pdf
    • https://9e2bb560-353e-4f5d-a08b-1363560edab4.filesusr.com/ugd/6c032c_c2a849be521a41a896327c3cc6a6cc8e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7396baee-d154-41e1-b439-f44ff6f3cb33/genuduzisokusulimupax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00021e1e.bin
bf5ae587a6ce06c1341f9031ba2b78dd0f76c55693f13c226bd65be9f71b9f58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21E1E 13264 bytes
font_01_sfnt_off000249f6.bin
2d1c65820c201217ec0c3613a4128a978ba3e1508c40645b9eb327bb13883ef8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x249F6 5228 bytes
font_02_sfnt_off00025ba8.bin
a05a51530b888f2c80f5c7266f66899e4f3a3f2ce07771942a36bb17856c827e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25BA8 14252 bytes
font_03_sfnt_off000289a1.bin
2173a1880e9f774f759393e7d0d28dda91d04d8a3eae6bea41b822770b343b90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x289A1 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.