Malicious PDF — malware analysis report

Static analysis result for SHA-256 604238305f2f4c90…

MALICIOUS

PDF

81.6 KB Created: 2021-03-08 05:08:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c7b7ab770a32e5d4ca24aceb3224fc02 SHA-1: 1baaffb5e592472f4bad6f21fdc38105cf9f7a8d SHA-256: 604238305f2f4c9096585e434db04563f8881b356e4031b054a39ec3e289dc5e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of an external URI points to a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it's designed to redirect users to malicious sites, likely for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/aws?utm_term=ace+personal+training+test+cost
    • https://cdn.sqhk.co/mojuzizimu/a1PJOhe/make_money_free_cash_rewards_apk.pdf
    • https://cdn-cms.f-static.net/uploads/4469852/normal_5fe723f2c54a3.pdf
    • http://zabemaladameg.medianewsonline.com/how_to_factory_reset_iphone_11_without_password_or_computer.pdf
    • https://cdn-cms.f-static.net/uploads/4422914/normal_603ceb3b3cd11.pdf
    • https://static.s123-cdn-static.com/uploads/4388612/normal_5fc6f5a59b565.pdf
    • https://datugabow.weebly.com/uploads/1/3/4/7/134745554/vokibadujasa-limoruwopetisup-pedopuduneziso-bokinaj.pdf
    • https://dodikajopofibu.weebly.com/uploads/1/3/4/7/134704264/koronej.pdf
    • https://wimaxexuxiwob.weebly.com/uploads/1/3/0/8/130874544/xanivijedug_fizot_suvim_fofimalanoz.pdf
    • http://rumepado.mypressonline.com/88468203210.pdf
    • http://nibajafij.medianewsonline.com/brother_mfc-6490cw_driver.pdf
    • https://cdn.sqhk.co/nilesatu/ohawiai/88285254945.pdf
    • https://static.s123-cdn-static.com/uploads/4450864/normal_5fcf19dc63c7d.pdf
    • https://cdn-cms.f-static.net/uploads/4450864/normal_5fd959a0edb36.pdf
    • https://jenamojid.weebly.com/uploads/1/3/1/0/131070605/3381376.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://redifigikutusoj.myartsonline.com/47033127865.pdf
    • https://s3.amazonaws.com/kukazowox/arsenal_3gp_videos_for_free.pdf
    • https://e5eb5b25-b33c-43e3-82d5-57ab1bf863d8.filesusr.com/ugd/b0c717_21849729972a4cbd879dbbf338ed2620.pdf?index=true
    • https://s3.amazonaws.com/saziwijaxodav/norenuted.pdf
    • https://d99c26cc-8c68-456d-a039-1a26994c8d26.filesusr.com/ugd/105a8c_c6e569cf3a4949c0a4f0909e895cd6c2.pdf?index=true
    • https://s3.amazonaws.com/divexikav/new_album_songs_2019_pagalworld.pdf
    • https://e6c529cc-411f-4195-b5ea-7b5fd081490a.filesusr.com/ugd/b7ab08_8b391fc1793c474dbac148945109509a.pdf?index=true
    • https://s3.amazonaws.com/dalava/rogasadigiwisatoxekeg.pdf
    • https://8f0c9b82-9570-4081-bbb7-5e23a534ea09.filesusr.com/ugd/7008f3_6b1fbd45a7cc4fe5bd38a88b910afe5d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f42e.bin
280c6524abcc69aa0c0a402c0b7b71229fd3c7a330299f0e4822948cd5aaab3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF42E 4876 bytes
font_01_sfnt_off000104c2.bin
f26852cc8629db1116a34307fde0083004c8ce5a2e428601d451805e0e90265a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104C2 11276 bytes
font_02_sfnt_off00012b0d.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B0D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.