Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c24734aec1eeb45…

MALICIOUS

PDF

75.5 KB Created: 2021-03-18 04:44:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e7bd77bc5858ce5926dbee228c8d5768 SHA-1: 974d2b159b66819db969f8d89f08dc803bacc884 SHA-256: 5c24734aec1eeb45e7a679726ef56dfe3c41af55a824c0546b31165f3027d45d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a malicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The document body, though heavily obfuscated, suggests a lure related to 'density problems worksheet answer key', indicating a phishing attempt. The presence of an external URI and the ML classifier's high confidence further support this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=density+problems+worksheet+answer+key
    • https://cdn-cms.f-static.net/uploads/4365998/normal_601bb51d3ade5.pdf
    • https://static.s123-cdn-static.com/uploads/4407989/normal_5ff8eef6ba2e4.pdf
    • https://cdn.sqhk.co/bisuligiga/iiI4UJp/furniture_mod_minecraft_1._16._3_download.pdf
    • http://tetufava.iblogger.org/sociopath_checklist.pdf
    • https://cdn.sqhk.co/rewazexi/PgfifPI/60136435464.pdf
    • https://cdn.sqhk.co/mitejapeki/6Vcggie/hernia_inguinal_y_umbilical_pediatria.pdf
    • https://cdn.sqhk.co/leporolino/ajejjhh/f1_2016_ps4_trophy_guide.pdf
    • https://cdn.sqhk.co/noxivudeva/LnggihD/tegivofadizofixat.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/655f0386-8c11-431d-9eda-1e9f5cd51319/frigidaire_ultra_quiet_iii_parts_diagram.pdf
    • https://04a9e765-cf69-4035-9b9a-998d8fb4e692.filesusr.com/ugd/8c5016_fc6565b55edd42a985438c6ce83e4856.pdf?index=true
    • https://d102a0f2-001f-4998-bb0a-88ac30ac05b5.filesusr.com/ugd/771ea4_51aabe814b4e4a11b74f60080be8b591.pdf?index=true
    • http://tigabogoramor.rf.gd/dell_inspiron_n5010_hard_drive_connector.pdf
    • https://uploads.strikinglycdn.com/files/dbd6402a-a2e8-42cc-9cbe-13d0e8912741/chocolate_miniature_dachshund_for_sale.pdf
    • https://02ee9779-94d6-4ec7-959f-c0f99fe19a35.filesusr.com/ugd/cdc607_454bd51e0c304e3498aae963f62853a3.pdf?index=true
    • https://26c1613e-5d28-4fa3-89cb-3d2c9ab59faf.filesusr.com/ugd/fe83c3_d0a92cf01d6a41c4a0512f204f3eca68.pdf?index=true
    • https://uploads.strikinglycdn.com/files/04942de0-ba41-4548-937d-628f4465b034/wolfgang_puck_rice_cooker_user_manual.pdf
    • http://potopaf.epizy.com/3167855999.pdf
    • https://uploads.strikinglycdn.com/files/ddcc5bb9-3350-4715-85ab-25d887b385f2/49390402550.pdf
    • http://bubalafugevale.rf.gd/9704447023.pdf
    • http://defefefesid.rf.gd/5581864414.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e894.bin
e584e1b7396d99eb071cb3c848e46c3d45be99b9bd17143ec9076a15bc2f52f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE894 5456 bytes
font_01_sfnt_off0000fb0a.bin
4e732521babd0953f9886d03bc96feeb36ff6b458484367bdbd7cbe70b8881a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB0A 11028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.