Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ad8a00530c8e65d…

MALICIOUS

PDF

83.8 KB Created: 2021-03-17 19:49:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68588280ba504ba7023e064c71b2e72b SHA-1: e76a1b9286012002ee15b14370956761422803a0 SHA-256: 5ad8a00530c8e65db45c725023ae4db5f5b20a32a5dca94f6a05a281dcd72db3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains multiple embedded URLs, with one specifically pointing to a search result for 'melon apk premium', suggesting a phishing or malware distribution lure. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were directly extracted, the presence of external links and the nature of the embedded text point towards an attempt to trick users into downloading potentially harmful applications.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=melon+apk+premium
    • http://bestsaleshopin.xyz/px_dp_dip_and_sp_in_androidzxauj.pdf
    • http://zdorovie-vashe-vse.xyz/63012383562nhdwt.pdf
    • https://cdn-cms.f-static.net/uploads/4408981/normal_6015543079485.pdf
    • https://cdn.sqhk.co/daxerarugak/hhIhh38/20077885746.pdf
    • http://design-kvartira.info/imran_khan_satisfya_mp3_downloadee1et.pdf
    • http://jigapenufi.medianewsonline.com/sogaturafuzonoko.pdf
    • https://cdn-cms.f-static.net/uploads/4458417/normal_603e6f2ce908b.pdf
    • https://static.s123-cdn-static.com/uploads/4483608/normal_5fef895377567.pdf
    • https://cdn-cms.f-static.net/uploads/4481684/normal_6036aa6ad57dc.pdf
    • http://bifovasux.22web.org/49107077373.pdf
    • http://9gusevshop.website/photo_collage_editor_online_free_downloadx3vub.pdf
    • http://kudezixajuxuni.66ghz.com/approval_note_sheet_format.pdf
    • https://cdn.sqhk.co/vixokezafafu/RZ5o7hd/45442941365.pdf
    • https://static.s123-cdn-static.com/uploads/4390995/normal_5feb2d28b343c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://wetukanezin.atwebpages.com/rugubijasaxozu.pdf
    • https://9849c7ec-8b19-4b81-9a64-db2537ea7c40.filesusr.com/ugd/97b1c0_ffe0a5f3290a4beb83bef87ea16a0d2a.pdf?index=true
    • https://c6f55193-7475-4343-97dd-33cb3b141b6a.filesusr.com/ugd/808d8c_4169907a22fe473d812a3ba306ea18cb.pdf?index=true
    • http://xobefojeb.rf.gd/exercice_verbe_etre_et_avoir_au_pass_compos.pdf
    • http://zuvetimimu.rf.gd/contrapuntal_form_in_dance.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea74.bin
33f0b4aebfafdcd99e820f6149612131f41ef7ddd19729019937a757d5824494		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA74 4856 bytes
font_01_sfnt_off0000fae3.bin
409ee9a3885541ffdc58d6bd2d6bfd260a46de59e4270c8c7780dd2af6cdbafe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAE3 1964 bytes
font_02_sfnt_off0001043c.bin
4e13daed4384496c66b8499b18497790549724ae1e9b7c6195d5cf2b4d3d55e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1043C 11800 bytes
font_03_sfnt_off00012c5d.bin
5a8b9d89b6d3907171af016d39e97b4ef3e0028d5c681e0d833e84c99888c652		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C5D 16144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.