Malicious PDF — malware analysis report

Static analysis result for SHA-256 6195d71e233e602e…

MALICIOUS

PDF

81.0 KB Created: 2021-03-30 06:50:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4019b8de20c2e82c996d81f036397d61 SHA-1: c940fac0febe885f7b69cbdfa758054aa53c9b44 SHA-256: 6195d71e233e602eda4a7858864778e2d63a86d50028e64f7a93c90e364a16f0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as a malicious PDF by multiple heuristics and a machine learning classifier. It contains embedded URIs, with 'https://zajinet.ru/award?keyword=atmananda+krishna+menon+books+pdf' being a prominent example. The presence of these external links suggests an attempt to redirect users to malicious sites, characteristic of phishing or malware delivery campaigns. No scripts were extracted, but the PDF structure itself is flagged as suspicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/award?keyword=atmananda+krishna+menon+books+pdf
    • https://static.s123-cdn-static.com/uploads/4479933/normal_5fe0fd3918026.pdf
    • https://cdn-cms.f-static.net/uploads/4387411/normal_6017bfc070cfa.pdf
    • https://static.s123-cdn-static.com/uploads/4474206/normal_5fe5aa660bbfc.pdf
    • http://rewita.fun/dukonimebejerunm7quq.pdf
    • http://fruct.space/71676399502j3m3l.pdf
    • http://sellforce.ru/how_do_i_reset_my_samsung_washing_machine035w1.pdf
    • http://fionainthefield.org/sidixuffknk.pdf
    • https://cdn-cms.f-static.net/uploads/4366405/normal_6038d4b2e4b0c.pdf
    • https://cdn-cms.f-static.net/uploads/4470677/normal_60466d038da6d.pdf
    • http://yewes.fun/h2o_mop_x5_replacement_partso98fe.pdf
    • https://cdn-cms.f-static.net/uploads/4366639/normal_601989c6c78a1.pdf
    • https://cdn-cms.f-static.net/uploads/4486041/normal_6046be857d558.pdf
    • http://dutov.org/79552570469upimr.pdf
    • http://takipleskazan.org/kenmore_washer_drain_pump_removal11lvx.pdf
    • https://cdn-cms.f-static.net/uploads/4413223/normal_6022c9203a1c5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://f039f7e9-c7fa-441d-bf3d-2f0e35d6be10.filesusr.com/ugd/80685d_c097f169dec04d91b8791c2b8f0bcf8f.pdf?index=true
    • https://27dd58ca-3bab-4825-b0a2-cb75a9f796de.filesusr.com/ugd/aba4c5_27508277d74a4fc682980cd733ac69e1.pdf?index=true
    • https://8964868a-aef6-4da0-9a9b-29de7c28e0c5.filesusr.com/ugd/b910ae_9048772179914b06b65845e19a1ebe38.pdf?index=true
    • https://s3.amazonaws.com/gudukupir/fixed_income_analysis_fabozzi_free_download.pdf
    • https://s3.amazonaws.com/rodiligarexo/kindle_for_pc_link.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee9c.bin
80cd29f45a0bb1e6ffab1817398b6af4a3dfb68a12eac8c79079b82c301deac8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE9C 5232 bytes
font_01_sfnt_off00010027.bin
461b811fbaeb1cd19a3b8aff6c51e2439c18aa8aacb0dc6cc630e164588447b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10027 12376 bytes
font_02_sfnt_off000128ab.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128AB 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.