Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ed35fb78ca92c1b…

MALICIOUS

PDF

164.9 KB Created: 2021-03-25 17:10:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f4b6a09836217c7927d922084433fb41 SHA-1: c20e2a9aa7db4ec91a4e073a59af64d67352ee4f SHA-256: 5ed35fb78ca92c1b1170e211a3ed95cbbed0596368874b492ef03f190a529a16
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that redirects to a suspicious domain, likely as part of a phishing or malware distribution scheme. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9543

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=boku+no+hero+academia+ep+278
    • http://ferategaj.scienceontheweb.net/jokatogufopu.pdf
    • http://bexukitekivotap.22web.org/gate_2020_syllabus_for_cse.pdf
    • http://manidat.sportsontheweb.net/rusubeb.pdf
    • http://rivuxini.66ghz.com/64240576494.pdf
    • http://wenatal.getenjoyment.net/caterpillar_diesel_generator_manual.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/ab18a66b-e9b7-4462-b072-fc0227d2ffac/lejaforarivo.pdf
    • http://poxizaxo.epizy.com/94565450141.pdf
    • https://uploads.strikinglycdn.com/files/e7ae1019-9c25-4b50-9653-2de11ad3c7d8/fojajapizuguf.pdf
    • http://jilabof.epizy.com/69054682855.pdf
    • https://uploads.strikinglycdn.com/files/bfab3c2d-a9c3-4b9d-85dc-0b28fc5a88e8/why_do_germinating_beans_undergo_cellular_respiration.pdf
    • http://lekekavom.epizy.com/17803328793.pdf
    • https://d6ac5066-27fc-4e71-a07d-b30af50dfe8b.filesusr.com/ugd/934fc3_bf321251946d4e07b716c7ad3709bd41.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e3db729c-bf21-4b98-a068-514cb8c70622/brandy_norwood_husband_name.pdf
    • https://uploads.strikinglycdn.com/files/17180667-f041-4f33-9e4f-33231a8e09e5/maluvad.pdf
    • https://uploads.strikinglycdn.com/files/614a0fae-7eed-4553-bcb8-6eb5172dd87f/romeo_y_julieta_churchill_cuban.pdf
    • http://rolugume.rf.gd/88919977795.pdf
    • https://edb7bb8d-792a-4213-93ec-7f573d37cc74.filesusr.com/ugd/bfd504_ba0531cbf1a54559b46cb3301564487b.pdf?index=true
    • https://6632aaff-1fe9-4f1d-acb3-7d444e457837.filesusr.com/ugd/ce4b7c_55b9d9fd770047be860ad10ed56bd0ad.pdf?index=true
    • https://a7176590-a44a-43b4-8b25-1171fb6190ac.filesusr.com/ugd/e6ccb8_0c265d84438144a59ce9bfa9e35debb8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7ccfe4ae-80ac-4d4d-acc9-ead2d28e7ec1/janimikikivexiris.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00022883.bin
a65dfeba5f04c9f9dae8d36e0461089409e63a77519958d7fb1712fdfe66acbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22883 5652 bytes
font_01_sfnt_off00023bf9.bin
d8965a92e986542db2127aea616541fd9ebdadd445a6dd577f9db17bea25c36a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23BF9 5424 bytes
font_02_sfnt_off00024e36.bin
b5aaf68762ce406621abbcd07e86681981a0efb75e8e47847738c6125643e906		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24E36 11412 bytes
font_03_sfnt_off0002745b.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2745B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.