Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ce480c05d74c3d9…

MALICIOUS

PDF

71.8 KB Created: 2021-04-04 20:30:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 21289037edd8c5f1aed8f9e4d408a625 SHA-1: 2cf64c74d9938655ad04d27c2321fb27ea954e3b SHA-256: 5ce480c05d74c3d9d92fc35311471ec30845dfcae38a1770545a4043e49ca943
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains multiple embedded URLs, one of which is https://jacksth.ru/wix?keyword=language+disorders+from+infancy+through+adolescence+5th+edition+pdf, suggesting a phishing or social engineering lure. The document body, though heavily obfuscated, appears to be related to the title, reinforcing the lure. No scripts were extracted, but the presence of multiple external URLs points to a downloader or phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=language+disorders+from+infancy+through+adolescence+5th+edition+pdf
    • http://vivudanu.scienceontheweb.net/undercover_economist_download.pdf
    • https://cdn.sqhk.co/zuxosutuku/dTLghQd/stor-_mor_self_storage_fort_collins.pdf
    • http://veviwumifuvemuz.mypressonline.com/muvalutekozijufadexugun.pdf
    • http://tideparipawovu.mygamesonline.org/xosejevipomonaxonolagipa.pdf
    • http://tivuximuliku.mygamesonline.org/lidocaine_patch_davis.pdf
    • http://rating-bookmaker.ru/ludo_championship_mod_apkfnbbo.pdf
    • http://koxudizujan.mywebcommunity.org/44714856021.pdf
    • http://degifutuv.scienceontheweb.net/psychological_testing_for_adhd_in_adults.pdf
    • https://cdn.sqhk.co/vemegunir/dTjjyFH/97736273579.pdf
    • https://cdn.sqhk.co/xawobovuji/jdihzie/bawavesufugo.pdf
    • http://nanonewe.scienceontheweb.net/how_to_repair_the_heating_element_on_a_dryer.pdf
    • http://latencfsrt.space/loberutinenopot4wbsp.pdf
    • https://cdn.sqhk.co/fumodolanes/iOjajfO/cafetaria_marco_den_haag.pdf
    • http://pawomodom.medianewsonline.com/6947148743.pdf
    • http://muldwych.com/how_to_remote_control_air_conditionerq5rpu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8a129334-08b3-4552-aa65-a9ddde64c619/calculus_of_variations.pdf
    • https://uploads.strikinglycdn.com/files/7fde81b0-8952-488c-b103-8bfaecbb161c/tigojod.pdf
    • https://uploads.strikinglycdn.com/files/aa343bff-4e5d-42b2-a30f-32145f64d776/how_to_build_a_model_windmill_generator.pdf
    • https://uploads.strikinglycdn.com/files/58f5cde3-1687-476c-ae45-621740d7d55c/wazukebisuxipixixup.pdf
    • http://purewowesajumu.myartsonline.com/manual_arcmap_10_espaol.pdf
    • https://uploads.strikinglycdn.com/files/ec2a497e-01c2-4668-a3fb-58516bb4283e/68076570575.pdf
    • https://uploads.strikinglycdn.com/files/fee6fcdd-f025-4fa3-bfe3-7d200f128d1c/mupimuzujoxapukisunupi.pdf
    • http://wokarodefi.onlinewebshop.net/multivariate_statistical_methods_donald_f._morrison.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da8a.bin
4e927d654d70c6e4325349382ebebdd200102a3fc2aa7f7f55b6869eebbd36a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA8A 5736 bytes
font_01_sfnt_off0000edf8.bin
c8829739c13dad50a4db64e041a759dc1424683e1f6a03c727593e07b913b379		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDF8 10408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.