Malicious PDF — malware analysis report

Static analysis result for SHA-256 5750ed1a2dcbe164…

MALICIOUS

PDF

82.6 KB Created: 2021-03-22 13:59:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6277cb9dea04e126e691f8727d58abe6 SHA-1: 90a2f7b65c47e0ce3e6387a6213e2375784dbcad SHA-256: 5750ed1a2dcbe1648f70fcc242843015c36478e1afbfd286c646c90b8302bae7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The document body, though heavily obfuscated, contains references to 'tiny tower hacks 2019' and an external URI pointing to a similar keyword, suggesting a phishing or social engineering lure. The presence of embedded URLs and the PDF structure itself are consistent with techniques used to deliver malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9957

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=tiny+tower+hacks+2019
    • http://fikakutipid.mygamesonline.org/calisthenics_tutorial.pdf
    • http://tuzojexis.mypressonline.com/data_analysis_report_example.pdf
    • http://lorewipa.scienceontheweb.net/ser_bachiller_2020.pdf
    • https://cdn-cms.f-static.net/uploads/4371808/normal_600fbd19b35d1.pdf
    • https://cdn-cms.f-static.net/uploads/4368240/normal_605396e2ec313.pdf
    • http://lugirepapirizo.scienceontheweb.net/13303854810.pdf
    • https://static.s123-cdn-static.com/uploads/4384817/normal_5ff4b336ed576.pdf
    • http://lipexifinidoda.scienceontheweb.net/present_simple_present_continuous_exercises_upper_intermediate.pdf
    • https://cdn-cms.f-static.net/uploads/4489402/normal_601b64b520951.pdf
    • http://tufuwavaziga.mygamesonline.org/allen_test_series_2020_download.pdf
    • http://pipavinekiga.mywebcommunity.org/biodata_format_in_marathi.pdf
    • https://cdn-cms.f-static.net/uploads/4384634/normal_6009b61e4f1c9.pdf
    • http://taforojujutusig.mygamesonline.org/ryobi_2hp_plunge_router_reviews.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zuponefi/public_health_nurse_resume_template.pdf
    • https://uploads.strikinglycdn.com/files/d282ce07-3ed8-4275-96d9-03a083fb3d26/basic_electronics_arduino.pdf
    • https://uploads.strikinglycdn.com/files/9064c5cc-4eda-4419-8056-0b287b010aff/98752451341.pdf
    • https://uploads.strikinglycdn.com/files/5c00b1ad-20f8-4cfb-8089-ed1980b22248/mebazuzofiguxulowega.pdf
    • https://uploads.strikinglycdn.com/files/c1365cdf-8db5-4b0d-ba3e-fbb16a51241a/95871449296.pdf
    • https://uploads.strikinglycdn.com/files/7f788807-d733-40a3-b5b1-ba288e200932/beboredumero.pdf
    • https://uploads.strikinglycdn.com/files/b1f42238-d2e8-4459-aabe-4f6c376818f0/simplicity_broadmoor_steering_problems.pdf
    • https://s3.amazonaws.com/gurafoga/vishnu_sahasranamam_tamil_lyrics_download.pdf
    • https://uploads.strikinglycdn.com/files/4c5f0759-fd7b-4da6-ba58-6bf6136887db/is_the_phantom_of_the_opera_movie_scary.pdf
    • https://uploads.strikinglycdn.com/files/a6962628-2767-4464-bd0d-e6000c7fffe9/vampire_diaries_season_8_episode_1_full_cast.pdf
    • https://uploads.strikinglycdn.com/files/b0f10efd-d6ad-4d53-86f2-1bf09780fb2a/kim_krans_the_wild_unknown_tarot_guidebook.pdf
    • https://s3.amazonaws.com/daxemo/19604727804.pdf
    • http://badamowafe.onlinewebshop.net/ielts_speaking_cue_card_topics_with_answers.pdf
    • https://s3.amazonaws.com/punagilelabon/ncees_fe_exam_registration.pdf
    • http://forojiwimudobo.atwebpages.com/26115368535.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001034d.bin
3fcfc09e6e0e5bdc048bb5acffac07924f42692e5c757f88cf7eeae40a1ac7da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1034D 5544 bytes
font_01_sfnt_off00011637.bin
d3f2edca314ed8557eadf89a8bdd88e794bfe872f3bddfc2b16d11106d6223bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11637 11160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.