Malicious PDF — malware analysis report

Static analysis result for SHA-256 58ec427d9c16216e…

MALICIOUS

PDF

75.6 KB Created: 2021-03-31 03:15:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13
MD5: d13c44ba5450b3e1498ef7353a5b3630 SHA-1: 4f4a37a738402a0338a2ab68a596276306b64916 SHA-256: 58ec427d9c16216e50a5e764b468869a219fcef0ec1dd394f14a30c43436ade9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, identified by heuristics as a potential phishing or malware distribution lure. ClamAV also detected this file as a malicious PDF. While no scripts were explicitly extracted, the PDF structure and embedded URI strongly suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=ischemic+heart+disease+journal+pdf PDF link annotation
    • http://likedizar.medianewsonline.com/3_articulos_de_la_constitucion_mexicana_mas_importantes.pdfIn PDF document text
    • http://bizowokare.getenjoyment.net/approximation_algorithms_for_np_hard_problems.pdfIn PDF document text
    • http://frasqen.online/76293826492rdd23.pdfIn PDF document text
    • http://electriccannoz.club/86821056349pswb2.pdfIn PDF document text
    • http://oyuncuxx.com/gajamuvawasotlmpoy.pdfIn PDF document text
    • http://wejixekolubuguw.iblogger.org/suraxeleniredojesejuwon.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/ddb92442-fdfb-4d67-ac77-c9445cea930c/who_is_like_the_lord_our_god_compassionate_and_full_of_mercy_chords.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/95ae83a0-517e-4668-8e07-52ad2841df20/husqvarna_leaf_blower_spark_plug_replacement.pdfIn PDF document text
    • https://s3.amazonaws.com/tabobujimo/city_of_ottawa_recreation_guide_special_needs.pdfIn PDF document text
    • https://8eeb1f0a-0cdd-4c66-98a4-83777b49fb54.filesusr.com/ugd/64f9d2_35f2a9e0b9894149aaa3fd7110d18f16.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/zifozujiwi/is_freight_out_an_administrative_expense.pdfIn PDF document text
    • https://s3.amazonaws.com/dinigugaxej/percent_to_decimal_to_fraction_worksheet.pdfIn PDF document text
    • https://8d59741e-369e-44be-b01e-8fbcb09d2d01.filesusr.com/ugd/7cefa9_8f6fa235300f4a1c96f23a9c04d61c26.pdf?index=trueIn PDF document text
    • http://zaxuzut.atwebpages.com/17848523888.pdfIn PDF document text
    • http://nujebij.onlinewebshop.net/bartter_syndrome_treatment.pdfIn PDF document text
    • https://9e730ba1-499c-413e-9a09-8a81f8121270.filesusr.com/ugd/0a0016_ceed92e3170147caacb0c93a4ea27b07.pdf?index=trueIn PDF document text
    • http://zenujasope.epizy.com/defusu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c26a8680-fd05-47fb-a619-42b3204578ab/13157946727.pdfIn PDF document text
    • https://cf2e1f24-e5f1-4289-9567-3affce9c164e.filesusr.com/ugd/a4ea6c_ce80b2eb61954dc2a4cdfecb21ab8549.pdf?index=trueIn PDF document text
    • https://02796127-04ec-4c85-b270-c6f7310ebb18.filesusr.com/ugd/ce0e6d_09f541243ffd4e4a8fc242a77bb92b87.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/vebisop/miccus_home_rtx_mini_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fefcda2c-03e5-489e-803b-009bdb296dfc/lojibu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e566.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE566 5408 bytes
SHA-256: 932ca15a6865d2e279c0b78b16a7e81bb10986a7b75c6f0cd37ee429f8def498
font_01_sfnt_off0000f7a4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF7A4 12692 bytes
SHA-256: 7d55cb9f43dc6b09a73425a46e45875c02b141ee4284cfa46491b0cf7f9c78fe

Open this report in the interactive analyzer, or submit your own file for analysis.