Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a137100923e0cd8…

MALICIOUS

PDF

86.7 KB Created: 2021-03-02 19:22:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cca7269d1110b66d3ee2d30ce2a94771 SHA-1: 54fe05420dc3c6b571b2d2d4ec442e7d696b8a5d SHA-256: 5a137100923e0cd82e0e4560939a7752c930d35d88e5f924b6603b9c4db1fe55
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an external URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create malicious PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/123?utm_term=pentair+intellichlor+flow+switch+replacement
    • https://cdn.sqhk.co/nipigagavadu/ieGhemG/go_chicken_go.pdf
    • http://theraisins.pro/86326874468csrtz.pdf
    • https://cdn.sqhk.co/bidomutarili/8Gohghj/pemufa.pdf
    • http://instgrmmverifiedbadge.com/the_crown_season_5_episode_7_castf3bqy.pdf
    • http://ridaxaki.mywebcommunity.org/lirozironupomizuji.pdf
    • https://cdn.sqhk.co/kawinojos/6J6jggY/brawl_stars_box_simulator.pdf
    • http://nonowun.mywebcommunity.org/fuxekejelat.pdf
    • http://decideyouself.fun/gym_jones_training_plans_reviewm7k19.pdf
    • http://muvirire.22web.org/due_diligence_report_companies_act_2013.pdf
    • https://cdn.sqhk.co/xixujipum/HHjd5sF/22341962850.pdf
    • http://fukuzowi.sportsontheweb.net/vupigezotitewapaziwisugu.pdf
    • http://minesaxofunawi.getenjoyment.net/beruwoniroguvefilubu.pdf
    • https://static.s123-cdn-static.com/uploads/4501775/normal_5feb3867cde62.pdf
    • http://help-verification.com/amphibian_deformities_current_state_of_knowledgeww86g.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://supetok.rf.gd/78046593810.pdf
    • http://texazufuvo.rf.gd/69449845716.pdf
    • http://zidufixeda.epizy.com/adobe_photoshop_cc_2015_bangla_tutorial.pdf
    • http://sujotoginejo.rf.gd/70871553067.pdf
    • https://s3.amazonaws.com/towakog/cinema_4d_trial.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001118d.bin
5c54a10d1d9d35da669639e45849d292ea37a3107cab4a1bedbf2ae2c4cc383c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1118D 5348 bytes
font_01_sfnt_off000123a9.bin
2d2d3643cc430dd87e448f6321827c7eb71866ab21659af322a12d9110c07ab3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123A9 12392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.