Malicious PDF — malware analysis report

Static analysis result for SHA-256 575f58882a00f8f2…

MALICIOUS

PDF

154.5 KB Created: 2021-06-03 01:53:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 575d46ff6f419e28feede14866894e1f SHA-1: d353b724476e982bf7d1eab05864e5914620788c SHA-256: 575f58882a00f8f22026531b00b3c60d17bbab7cdf0530124dd2d93bd0adc9c0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a URL that mimics a search engine result, likely intended to trick users into visiting a malicious site. ClamAV and ML classifiers flagged this PDF as malicious, specifically as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded URI suggest a phishing attempt to redirect users to a potentially harmful external resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/pbw?utm_term=is+it+possible+to+burn+3000+calories+a+day
    • https://bubituzujolumet.weebly.com/uploads/1/3/4/6/134647672/7b0434f31e.pdf
    • https://sejexogubason.weebly.com/uploads/1/3/1/0/131070030/forijuzapavenakopob.pdf
    • https://xufolonul.weebly.com/uploads/1/3/2/6/132695880/jokotugizer.pdf
    • https://gisafumeg.weebly.com/uploads/1/3/6/0/136098567/xuvazowazeb.pdf
    • https://bitojeromewex.weebly.com/uploads/1/3/0/8/130874526/lizosaz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/610cea1e-27cc-4610-ade8-c448376483fd/diamond_infinite_edge_pro_draw_length_adjustment_chart.pdf
    • http://kimotamiju.pbworks.com/w/file/fetch/144528825/wibexeviwepovubo.pdf
    • http://kirozatijawu.pbworks.com/f/3m_thermofax_manual.pdf
    • https://uploads.strikinglycdn.com/files/814f5e49-c494-4478-9ee3-9dbe5f35e6ec/81247252379.pdf
    • https://uploads.strikinglycdn.com/files/bfc1fc40-ef5b-4b81-aff4-fccf4bfbc819/gender_roles_in_chronicle_of_a_death_foretold_prezi.pdf
    • http://minuwaxiper.pbworks.com/w/file/fetch/144507339/70857860844.pdf
    • http://lomexalipele.pbworks.com/f/euro_truck_simulator_1.1_1_trkiye_haritas_indir.pdf
    • https://uploads.strikinglycdn.com/files/17eff59b-0279-4c7d-b3a3-ca1591b00f94/what_greek_god_starts_with_a.pdf
    • https://uploads.strikinglycdn.com/files/2736cb7c-a692-4e55-be54-5e116732c890/joyetech_evic_vt_manual.pdf
    • http://paderukut.pbworks.com/f/bruno_mars_zip_vk.pdf
    • https://uploads.strikinglycdn.com/files/e2deb163-18ce-41f2-9fd8-615865a2c404/the_god_must_be_crazy_full_movie_download_in_hindi_filmyzilla.pdf
    • http://vamafob.pbworks.com/w/file/fetch/144474213/partnership_deed_sample_doc_pakistan.pdf
    • http://sipibujewadu.pbworks.com/f/bivovebafakibikaragiba.pdf
    • https://uploads.strikinglycdn.com/files/ed72b15a-da6e-413f-9bf9-e6fc8f35cb37/ropodovapetuguji.pdf
    • http://zopujoxobug.pbworks.com/f/92344940347.pdf
    • https://uploads.strikinglycdn.com/files/5e92f4d0-9eab-4210-9943-2450f9b9d903/kagukepuwi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001fc5b.bin
223c10a6bbcdcc85203f8ac07eb238b487045f9d1f1f3c8bd37484f06311fd80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FC5B 4028 bytes
font_01_sfnt_off00020a82.bin
598752fef7819cf085ee20e6c9ac1e61248ed86d625f2c83ae97240e499e8ec7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20A82 5552 bytes
font_02_sfnt_off00021d64.bin
f7e3efe73db86c42c14fcd25449445e642304b927ef2b92609f8a251ec91f905		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21D64 4060 bytes
font_03_sfnt_off00022c3a.bin
483520f4f71c4665575376338dca1195b7cd2aca59e143f4fe8446ed902e655f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22C3A 14632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.