Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e9c160b970bedb8…

MALICIOUS

PDF

99.9 KB Created: 2021-03-27 20:00:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2c824662ef68eb9268a436c517b89587 SHA-1: accd866eff795fa087b07b924e8a340011ef6838 SHA-256: 5e9c160b970bedb8f4fb63538245fd47314ccf4560730affdeb4c8b83a0f6fa2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. The embedded URL points to a suspicious domain, likely used to host malicious content or phishing pages. Although no scripts were explicitly extracted, the PDF structure and the presence of external URIs suggest an attempt to redirect the user to a malicious site, aligning with spearphishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=unblocked+beast+games+66
    • https://cdn-cms.f-static.net/uploads/4457302/normal_60556c24ab663.pdf
    • https://cdn.sqhk.co/vebudirepo/r07tjf1/39111741975.pdf
    • http://rotukefune.getenjoyment.net/90045567180.pdf
    • https://static.s123-cdn-static.com/uploads/4369317/normal_6008616545632.pdf
    • https://static.s123-cdn-static.com/uploads/4373527/normal_5fdfb78737e2e.pdf
    • https://cdn-cms.f-static.net/uploads/4391013/normal_600e303be8f55.pdf
    • https://cdn-cms.f-static.net/uploads/4474471/normal_6055fe35eb9c3.pdf
    • https://cdn-cms.f-static.net/uploads/4412170/normal_6056d541475d8.pdf
    • https://cdn-cms.f-static.net/uploads/4494136/normal_6011eaa777b29.pdf
    • http://belepebo.mywebcommunity.org/gobadowemanixij.pdf
    • http://vumogegotawugub.mypressonline.com/how_to_do_dj_mix.pdf
    • https://cdn.sqhk.co/perikowep/gidrjaH/gudataw.pdf
    • https://cdn-cms.f-static.net/uploads/4417024/normal_5fea3957a4410.pdf
    • http://woxijakuzadajew.getenjoyment.net/jikaja.pdf
    • https://static.s123-cdn-static.com/uploads/4456984/normal_5ff45f4b8b5ed.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tibitexil/11343658392.pdf
    • https://s3.amazonaws.com/suxuzubojut/lofebunijurat.pdf
    • https://s3.amazonaws.com/tufujifinobiro/91751701877.pdf
    • https://s3.amazonaws.com/dovulavavo/cbc_test_with_differential.pdf
    • https://s3.amazonaws.com/boduxatavepe/online_admission_form_for_du_sol.pdf
    • https://s3.amazonaws.com/tinezedu/does_target_take_back_rock_n_play.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012510.bin
a606a6dede3b99472d2ac97761204782646b5f75106b48d1abccbe9a99ca9a4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12510 6440 bytes
font_01_sfnt_off00013504.bin
743519d764db1392ec0e708d05f71e5639ec355aee041d372937709e0d5485a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13504 5512 bytes
font_02_sfnt_off000147b3.bin
0bf1944bc6768efce998552889bf30a1d9481ffd97bfaeab14f9549ad564bb26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x147B3 10940 bytes
font_03_sfnt_off00016d37.bin
9559dd1bd908241551916101fda3d445a26f5c4b506a1423f23393456f9d5940		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16D37 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.