Malicious PDF — malware analysis report

Static analysis result for SHA-256 598a2a8445659187…

MALICIOUS

PDF

91.6 KB Created: 2021-02-17 17:40:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 31513654968f4132d29c3fe32c222530 SHA-1: f294ab7bbf52e1ee7655ca7e4a60cbb3d8d5a8b7 SHA-256: 598a2a8445659187795610c37b5cad7c7cd236ad4a8538c2d0f5b6d1d833eed4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a website disguised as an answer key for worksheets, likely a social engineering lure. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect the user to a malicious site for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=measuring+capacity+worksheets+answer+key
    • https://wujipomazoki.weebly.com/uploads/1/3/1/3/131384492/tixovawenonefaru.pdf
    • https://jaroxifapo.weebly.com/uploads/1/3/1/6/131636664/tajogigu.pdf
    • http://pesuzukotejoki.iblogger.org/piluwewuzokol.pdf
    • https://cdn.sqhk.co/salaseli/CZic6jg/electricity_plasma_live_wallpaper_pro_apk.pdf
    • https://xaxibilezulaf.weebly.com/uploads/1/3/4/0/134096047/3423980.pdf
    • http://wavolat.iblogger.org/78240279247.pdf
    • https://cdn.sqhk.co/rogapakaler/jd9ies0/ronemujesetupalipadudeg.pdf
    • https://cdn.sqhk.co/vebudirepo/jgF9hg1/rotator_cuff_surgery_recovery_success_rate.pdf
    • http://xevamaz.iblogger.org/answer._ua.pdf
    • https://cdn.sqhk.co/pobojatizopa/jKggQhi/teacher_capsule_wardrobe_winter_2020.pdf
    • https://cdn.sqhk.co/wanaxowuwot/ij3hg0W/dialer_apk_mod.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/diwitapezu/53412901217.pdf
    • http://dazozelagur.epizy.com/java_string_format_f_decimal_places.pdf
    • http://punirasum.rf.gd/femifevujojadop.pdf
    • http://zazujipediwa.rf.gd/le_marxisme.pdf
    • https://s3.amazonaws.com/jaxesabi/hambriento_nach_descargar_gratis.pdf
    • https://s3.amazonaws.com/rudelazifizuvo/pokevuzuzu.pdf
    • https://s3.amazonaws.com/tozaduliwubega/bbc_bargain_hunt_episode_guide.pdf
    • http://govujetimavex.epizy.com/finavufabefilerekefuxi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000103d2.bin
d7bde7c17bb61dbee1f4c231623224685f518602886fa0b206e713b4bc90e88f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103D2 2960 bytes
font_01_sfnt_off00010e60.bin
27523525f3c7eba9c45946acf05575b605b7bff6444632935f64fca13eaf3e11		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E60 5428 bytes
font_02_sfnt_off000120fa.bin
5316cf8ea084c258f006cef4147cc0079c10fa32292e7e8befd90e75364a95e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120FA 12428 bytes
font_03_sfnt_off00014a5a.bin
48aff817bde83783653ef2c2e952d5b04229e9ab14dea8968ba0602ff0718588		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14A5A 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.