Malicious PDF — malware analysis report

Static analysis result for SHA-256 5727dd9e65d2ab43…

MALICIOUS

PDF

318.4 KB Created: 2021-04-06 17:16:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ef7944c986372d3dc09a627627848ca7 SHA-1: b9ea0b621953ad5069efb5d3a5b630f7bd4de0fb SHA-256: 5727dd9e65d2ab436d0541d6a9b50f17eb7f0bed404b01926f4a801295ac39ad
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains an embedded URI pointing to a suspicious domain, which is a strong indicator of a phishing or malware distribution attempt. The ML classifier and ClamAV detection further support its malicious nature. Although no scripts were explicitly extracted, the presence of external URIs suggests an attempt to redirect the user to a malicious site, likely for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9695

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/123?utm_term=informacion+sobre+bomberos+de+chile
    • https://cdn-cms.f-static.net/uploads/4370066/normal_600edd914cd41.pdf
    • http://azakalaza5.xyz/sat_math_practice_booky8z7c.pdf
    • https://cdn.sqhk.co/gixotagokezu/9vificU/yankee_doodle_keyboard_letters.pdf
    • https://cdn-cms.f-static.net/uploads/4391921/normal_5fd8ddf6e42d6.pdf
    • https://bopisigo.weebly.com/uploads/1/3/1/4/131453919/8c9a35e136412d8.pdf
    • https://cdn-cms.f-static.net/uploads/4388813/normal_6039685518a2c.pdf
    • https://static.s123-cdn-static.com/uploads/4498882/normal_5fcc4ce3c4f6b.pdf
    • https://cdn-cms.f-static.net/uploads/4468572/normal_60464978283e5.pdf
    • https://bugajujifupub.weebly.com/uploads/1/3/4/8/134894919/zaxaboxosaneb-peverinafefezut-pasufabefiz.pdf
    • https://cdn.sqhk.co/pinufizugal/gcIUgh7/lakinojorevepizekox.pdf
    • http://everydays.space/call_of_duty_update_time5iuim.pdf
    • https://kexibisurek.weebly.com/uploads/1/3/4/3/134334279/mevefakunotul.pdf
    • https://cdn.sqhk.co/dasulujina/aQPoicw/sojujeligodofopu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6620f5b5-1d4b-4f26-a63a-30c0610129a6/gofatedawax.pdf
    • https://s3.amazonaws.com/muvojugejoxip/blank_times_tables_worksheets_1-12.pdf
    • https://uploads.strikinglycdn.com/files/abac4c4e-326b-456d-bf6d-9b527440e2fb/fozun.pdf
    • https://uploads.strikinglycdn.com/files/dada7091-e03e-438a-b9b0-93425e06e284/ziwovebofinusibisapates.pdf
    • https://uploads.strikinglycdn.com/files/13790a2e-36eb-444e-a3ff-dd309f733704/33424524035.pdf
    • https://s3.amazonaws.com/diwitapezu/affinits_lectives_goethe.pdf
    • https://uploads.strikinglycdn.com/files/03928346-06b0-4f8b-8581-2c886cde53e1/volumabipapapakoburitasol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00048513.bin
6b241ee0a66bb5364d4758c23c37bd96a4088dd1285cd2609e9180ab0a318999		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48513 5340 bytes
font_01_sfnt_off000496ff.bin
cefa93ab99268b9387626336cc8aeb986d802f3a091f6156c231f0642977bfab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x496FF 1852 bytes
font_02_sfnt_off00049fda.bin
848b9abaecc0e0f94aad7857f6aa9f4c802d54e5327e817072d0d3458c0bf324		 pdf-font-stream PDF embedded font (sfnt) at offset 0x49FDA 16860 bytes
font_03_sfnt_off0004d247.bin
be42612503beb0021a8f9dcfffb448ff08b5dcf845a91b068d1fe5ac07c3c2a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D247 16436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.