Malicious PDF — malware analysis report

Static analysis result for SHA-256 56ff02598a414a4b…

MALICIOUS

PDF

182.3 KB Created: 2021-03-18 18:13:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f632146835ebaddbd6658d0b50d26c91 SHA-1: 74e9b6dc7000e373821fb9a2bc30943506c24144 SHA-256: 56ff02598a414a4b2f9f50a56508bbe7256dfc97ab715b712cb177167f237008
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'zajinet.ru', which is likely a phishing lure. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect the user to a malicious site, potentially for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=ouran+highschool+host+club+twins+height
    • https://metenesepagozo.weebly.com/uploads/1/3/4/7/134710396/lopadibobupu.pdf
    • https://zogoporev.weebly.com/uploads/1/3/1/3/131381602/ragefij.pdf
    • https://basapozixuw.weebly.com/uploads/1/3/4/7/134701575/mudoku.pdf
    • https://jorobeperepi.weebly.com/uploads/1/3/1/8/131856290/zejeladuloxe.pdf
    • https://sokirokesavosa.weebly.com/uploads/1/3/4/9/134901907/5844736.pdf
    • https://webunufilijamo.weebly.com/uploads/1/3/4/6/134677486/1907062.pdf
    • https://vamepaxokuwi.weebly.com/uploads/1/3/5/9/135959455/vomukoziv_xisuvip_vazema_lopikupaz.pdf
    • https://wisobujiraru.weebly.com/uploads/1/3/5/3/135329541/naxero_jepezisumosuze.pdf
    • https://jixivegeparimes.weebly.com/uploads/1/3/4/7/134749144/miboxupi.pdf
    • https://wiwamimojuwat.weebly.com/uploads/1/3/0/8/130813692/kenagenezal.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://48bf584d-d56c-45cf-b4f3-c1c05dce5274.filesusr.com/ugd/3f4b99_9b7e056969554de1b2773f44dc5adbc9.pdf?index=true
    • https://041aa876-b65b-432c-96c0-58c8b295a4e4.filesusr.com/ugd/90d19e_acbaca4715af4c4492c7f0dfe7f113e1.pdf?index=true
    • https://9de673a2-3b8e-40eb-bbf5-c0ad8e71a3da.filesusr.com/ugd/bd5c68_e359b63686004a4f836a6a0b191422da.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e654d50b-604c-4458-a333-e3afcf9b2ba8/how_much_for_a_2jz_swap.pdf
    • https://uploads.strikinglycdn.com/files/b5ed39ac-f317-47fb-94b7-db9b70701ea4/homelite_330_chainsaw_for_sale.pdf
    • https://uploads.strikinglycdn.com/files/88d00f1c-b5f2-4ea8-b486-d991df6876d2/nalonulivixewel.pdf
    • https://s3.amazonaws.com/remeranexe/adobe_photoshop_graphic_design_software_free.pdf
    • https://fb413987-6e77-4bf1-aaa6-e97eb550fbee.filesusr.com/ugd/108936_9c01809a2fc24e549f7cc5e15e20fafc.pdf?index=true
    • https://s3.amazonaws.com/vobuturinivi/brand_guidelines_indesign_template.pdf
    • https://s3.amazonaws.com/nilititonawafim/shell_alvania_rl2_safety_data_sheet.pdf
    • https://4bf641bf-117a-4913-931f-55e49063997f.filesusr.com/ugd/5befcb_6aa6e87355c249678bee70e02814f2c3.pdf?index=true
    • https://4eff3ec4-d147-45d1-be73-876d9e1d0019.filesusr.com/ugd/efb3f0_06ba0c51330d44eca51852738552cade.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fb0b7517-87c5-4cd3-907b-c412a8fddc83/39637796953.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00020309.bin
4bdebcf33d1a13d7390ab014b9089497db20b7b1c8e811db853787f1af2bbfaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20309 41996 bytes
font_01_sfnt_off0002838a.bin
5afa10401952fde26c05744fbe3865a34b43b0c7a5bb12502f93c3967d20d2e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2838A 5204 bytes
font_02_sfnt_off00029540.bin
2640cb5e05c6bba125a37d5e928e220310e9ec0690a65dac42122b95759af440		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29540 12084 bytes
font_03_sfnt_off0002bc87.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BC87 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.