Malicious PDF — malware analysis report

Static analysis result for SHA-256 5af09c016f388f5b…

MALICIOUS

PDF

77.0 KB Created: 2021-05-25 02:10:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c11d646d33a11850b0d4ad128f2df0c5 SHA-1: 19242208b1a68e5f6e95aeaf722413cc338ec275 SHA-256: 5af09c016f388f5bb6b45f38a3e7e342165ff5f1625e8333cc382e92af84ba2e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to deliver a malicious payload or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=do+you+capitalize+college+majors+in+a+sentence
    • https://cdn-cms.f-static.net/uploads/4453730/normal_6060877676d50.pdf
    • https://cdn-cms.f-static.net/uploads/4531626/normal_60158667daa13.pdf
    • https://cdn-cms.f-static.net/uploads/4370543/normal_5fdbb480c17ff.pdf
    • https://cdn-cms.f-static.net/uploads/4443617/normal_602df8e7a093b.pdf
    • https://static.s123-cdn-static.com/uploads/4455669/normal_5ff690f4d92f7.pdf
    • https://cdn-cms.f-static.net/uploads/4475212/normal_60550258caa25.pdf
    • https://static.s123-cdn-static.com/uploads/4422382/normal_5fc5d26745ffc.pdf
    • https://static.s123-cdn-static.com/uploads/4443325/normal_600101ab17fcd.pdf
    • https://cdn-cms.f-static.net/uploads/4401714/normal_60593bd2c7e8e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/62923153-005a-46c8-bf2f-82d9dc30ce05/jikebiz.pdf
    • https://uploads.strikinglycdn.com/files/cfdaab1c-58fc-4620-aa50-c9ed9a5f570e/neverending_story_characters_turtle.pdf
    • https://uploads.strikinglycdn.com/files/ad2e0403-0667-4c7a-9ad6-d7d8abf22a3c/38453259604.pdf
    • https://uploads.strikinglycdn.com/files/7bfbeaed-d592-493a-8d00-f55ee520545f/95182625688.pdf
    • https://uploads.strikinglycdn.com/files/7d70e9d5-46a3-4c83-a38c-d13edbb069c6/kakiwukijola.pdf
    • https://uploads.strikinglycdn.com/files/00d25e23-3507-4d66-a182-1f7facbab646/youth_football_tackling_drills_without_pads.pdf
    • https://uploads.strikinglycdn.com/files/232e5910-358e-4ecc-b0d6-7c9d370c3d35/70916329820.pdf
    • https://uploads.strikinglycdn.com/files/77f6fd60-7676-4616-9329-39b5f0bdd6e8/74325846769.pdf
    • https://uploads.strikinglycdn.com/files/814eb773-6a93-42c8-9c03-edafe83fbece/77213881219.pdf
    • https://uploads.strikinglycdn.com/files/f0dfdc0f-e79e-4d7d-83bc-46804d9a519b/88788910484.pdf
    • https://uploads.strikinglycdn.com/files/3863ee4f-b50b-49bc-b190-0057fd358cf9/ruvojesowarawije.pdf
    • https://uploads.strikinglycdn.com/files/152c29ba-ad42-4e50-bf52-4e6ee786167f/kafka_short_stories_read_online.pdf
    • https://uploads.strikinglycdn.com/files/f2df7f3d-a777-4ccf-a2d9-60ce146f22dd/sotewikikanetim.pdf
    • https://uploads.strikinglycdn.com/files/1280ce84-fbd0-42f0-9c6e-94cd668f25f9/how_many_moles_oxygen_of_oxygen_are_required_to_fill_the_room.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eec3.bin
ec15d5752be992a07c8f478ffca4f6e0d71bfe127e315132d6405a4e57691a65		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEEC3 5480 bytes
font_01_sfnt_off0001016c.bin
8630b7dff556e745487c710f7c6d03f481364ea08a558f37889cf479dbbd556a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1016C 10752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.