Malicious PDF — malware analysis report

Static analysis result for SHA-256 612f2bac4e13f966…

MALICIOUS

PDF

80.7 KB Created: 2021-03-10 04:40:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 53d778fcebee0d8e1d21c6913acbabac SHA-1: d2449132bec63b4aa192584dbe116245e2f1e56e SHA-256: 612f2bac4e13f9660fa08b939af3767d5d6e1c0f0906162c1ff862dde04ec499
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as a malicious PDF by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL, disguised as "Navien tankless water heater venting instructions", likely leads to a phishing or malware distribution site. While no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/aws?utm_term=navien+tankless+water+heater+venting+instructions
    • https://cdn.sqhk.co/modonasuje/pHujfO6/41967433164.pdf
    • https://static.s123-cdn-static.com/uploads/4469103/normal_5febc6ec82f7c.pdf
    • http://xazivigufimu.22web.org/men_s_health_uk_gift_guide.pdf
    • https://static.s123-cdn-static.com/uploads/4489615/normal_60015fb147701.pdf
    • https://cdn.sqhk.co/wovupeni/jdhhhgf/photo_studio_collage_maker.pdf
    • https://cdn-cms.f-static.net/uploads/4472486/normal_60371ab83f1f6.pdf
    • https://cdn-cms.f-static.net/uploads/4501229/normal_5fea27912bc92.pdf
    • http://didanak.22web.org/how_to_do_hess_law_problems.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://toxiramagelovit.epizy.com/tamil_full_movie_2019_tamilrockers.pdf
    • http://deriwabip.epizy.com/netgear_prosafe_gs108pe_default_ip.pdf
    • http://kevakop.epizy.com/cantos_del_camino_neocatecumenal_mp3.pdf
    • http://jebowozuguvufot.rf.gd/nice_guidelines_for_asthma_2018.pdf
    • https://a1c9bafd-2917-4c1b-b79c-a4b44a941470.filesusr.com/ugd/f0f215_0550f3b562f64b98a87d9dcff1a9f3e9.pdf?index=true
    • https://a146b927-ed54-472d-b3a8-6b137e313b92.filesusr.com/ugd/4d400c_251a5311ce4947918ba6316e563dbe59.pdf?index=true
    • http://fidobagasamos.epizy.com/tekutewavaxesumu.pdf
    • https://9170d309-caca-4186-8987-bf6b40ce219c.filesusr.com/ugd/baef12_9a759ae65028449a97f920072756d4b3.pdf?index=true
    • https://502f924d-676a-41b3-8220-87c01882f600.filesusr.com/ugd/5a20bb_106686fa730944b78b5f82bc8f7fc17d.pdf?index=true
    • http://zezajezo.epizy.com/mofonisekaxugevuxojawofi.pdf
    • http://kotutuvotijol.rf.gd/chromatic_music_sheet.pdf
    • https://e6676b24-921d-4f57-8fca-beda98688f3c.filesusr.com/ugd/144d27_0d7d4ea8756a4482a51a72a1110dcbe7.pdf?index=true
    • http://zokitidekav.epizy.com/2016328058.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efa2.bin
3cd643622a5cb3d50a135f78239e63ca1c88e364fea74f4e2357d9af55c8c0d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFA2 5128 bytes
font_01_sfnt_off00010122.bin
c343ece5a5f0f98f15700679496cccd8fdfbb6e7bd2927c593a7d43d93e0ca5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10122 10984 bytes
font_02_sfnt_off000126ae.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x126AE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.