Malicious PDF — malware analysis report

Static analysis result for SHA-256 5821d147caffa6b8…

MALICIOUS

PDF

80.2 KB Created: 2021-03-19 23:58:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 289a73d75a02fa758f10a4f588a957d1 SHA-1: b9c14499464036bfe4a8dfc13962176ca24f97a4 SHA-256: 5821d147caffa6b8baa64e28126bb706cd19d9c3f8232eedd02ed3b3359e3007
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, with a high risk score. It contains an embedded URI pointing to a suspicious URL, which is likely used to host or redirect to a malicious payload. The document body, though heavily obfuscated, suggests a lure related to educational materials, a common tactic for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=larson+calculus+10th+edition+solution+manual+pdf
    • http://lazisirogabidir.mypressonline.com/6th_grade_math_review_test.pdf
    • http://dipenoguzel.sportsontheweb.net/42830597108.pdf
    • http://vosajizegek.mypressonline.com/simple_amplifier_circuit.pdf
    • http://rorixuge.iblogger.org/72051319867.pdf
    • https://zutijuxugovoxi.weebly.com/uploads/1/3/4/6/134684331/5c43f.pdf
    • https://texotawumixiwaw.weebly.com/uploads/1/3/4/8/134898612/noveduvojomum.pdf
    • http://wosozage.mypressonline.com/is_there_a_24_hour_walmart_open_near_me.pdf
    • http://mozaduz.mygamesonline.org/vagegigiwipez.pdf
    • http://fisareboveda.getenjoyment.net/bafemifawezinem.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://tipokeviti.atwebpages.com/chemistry_experiments_for_life_science_majors.pdf
    • https://e8c82854-2a0b-4c0f-82de-bac600ce06e6.filesusr.com/ugd/d017d5_f80bcc363e7641e99a57cdd3c48af973.pdf?index=true
    • https://91ca87c2-c493-4616-adaa-fbcec45394e1.filesusr.com/ugd/6116da_e174a6351f3e4fe2b0a9a92658eb1186.pdf?index=true
    • http://vilulew.rf.gd/management_accounting_journal_articles.pdf
    • http://kisalonokexiwi.atwebpages.com/47529086189.pdf
    • http://momevoke.rf.gd/87411724813.pdf
    • https://a3cd4400-5fdc-4e6a-bda8-88556a2d4d1f.filesusr.com/ugd/2f7489_a0e4385abfff46ab81926831ca0f8228.pdf?index=true
    • https://58552d80-c20c-4e4f-99b9-91bedbcc07a3.filesusr.com/ugd/c18496_111d9f4b4c4d4db1b96b8e4d5afcc5de.pdf?index=true
    • http://rowoniwetob.atwebpages.com/king_lear_summary_in_hindi_video.pdf
    • http://jababonulet.epizy.com/panasonic_inverter_microwave_oven_grill_function.pdf
    • http://nebojemesiwi.atwebpages.com/el_estado_liberal.pdf
    • http://durenifujogax.myartsonline.com/jemasof.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee6f.bin
10a07fc969e6c8cf41398fcfefa625e426b29a45b33f3716d0886db1405c0d2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE6F 2900 bytes
font_01_sfnt_off0000f8b2.bin
dbee3d05c25ff462002df81f0a2ab405528e1b349e8ecc3cf155d996b4ec1dcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8B2 5532 bytes
font_02_sfnt_off00010b57.bin
197fd092185dc9658d759ba942fb044841564b7d616b65204708f23a44cbce9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B57 11484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.