Malicious PDF — malware analysis report

Static analysis result for SHA-256 634f971653f64177…

MALICIOUS

PDF

81.6 KB Created: 2021-03-13 19:07:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1a2c05bdd9fbea8ae1bf2f0409f22ef0 SHA-1: d0090f5c04ff45e1fa50f5f71198563bc3a29516 SHA-256: 634f971653f641778ecdbb1d2ef86245a9d5cd707f1a933bd44289d11bc5d807
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified by heuristics and a machine learning classifier as malicious. The ClamAV detection further confirms its malicious nature, flagging it as a phishing trojan. The document body, though heavily obfuscated, suggests a lure related to sheet music, likely to trick users into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=come+thou+fount+violin+piano+sheet+music
    • https://cdn-cms.f-static.net/uploads/4452834/normal_60149399cb2cf.pdf
    • https://static.s123-cdn-static.com/uploads/4459062/normal_5fc917ef7595e.pdf
    • https://cdn-cms.f-static.net/uploads/4443326/normal_603288f274562.pdf
    • http://dufigep.scienceontheweb.net/fahrenheit_451_study_guide_questions_and_answers.pdf
    • http://gosoxegekiri.mywebcommunity.org/25939922510.pdf
    • https://cdn.sqhk.co/fugolamudara/Gig2jeW/infiniti_racing_car_price.pdf
    • https://cdn.sqhk.co/dolitife/ficgcha/iihf_world_championship_2018_winner.pdf
    • https://cdn-cms.f-static.net/uploads/4375352/normal_5fe82c30c9c6e.pdf
    • https://cdn.sqhk.co/genopeno/1gf04ic/totikododawebudabukoleg.pdf
    • http://janorewaxeno.mygamesonline.org/8197798073.pdf
    • http://punejew.mygamesonline.org/86781052962.pdf
    • https://cdn.sqhk.co/viforoge/UYgcjfP/classroom_management_definition_in_urdu.pdf
    • https://cdn-cms.f-static.net/uploads/4420235/normal_6025506080fe1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://zenakezogutomu.onlinewebshop.net/casio_fx-9750gii_graphing_calculator_how_to_use.pdf
    • https://9fc80a0e-b25b-4135-afeb-9811a1ea6bf8.filesusr.com/ugd/91e123_9d846fe0e8384f9580563ee2a41a15f0.pdf?index=true
    • http://rizivubonulej.atwebpages.com/99213390390.pdf
    • https://uploads.strikinglycdn.com/files/51f6eea1-4465-4e14-85a1-d2df9ee5c1bb/51936398282.pdf
    • https://67a4337f-2b79-4d04-9c1d-2578c80f4945.filesusr.com/ugd/964009_17e055de59434deb9c58a5553ae17542.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2c170bc9-59ab-4e02-9c23-62afe43455b5/samsung_galaxy_tab_4_7.0_price_in_ghana.pdf
    • https://e966359d-176b-477a-9ad9-c314bea94227.filesusr.com/ugd/fa6f14_df6cf75dec3244d081413e3c709ab3cb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c24cb751-a0a7-4046-a329-e230d0ccfb84/jalewurekiti.pdf
    • http://molagegivijoxu.onlinewebshop.net/zodaxisijulef.pdf
    • http://woranuganavot.myartsonline.com/rowofo.pdf
    • https://uploads.strikinglycdn.com/files/90e2816a-fad0-4989-9ab5-41512e7d50a2/45146053102.pdf
    • https://4b4b92a8-4ac5-4030-97d5-af0917f8c077.filesusr.com/ugd/0251f0_3fd7849e85a44e168bffaa0741aac483.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5455fb6f-5926-4e24-85ab-a64dd0bcb4a2/59437131041.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f128.bin
1c4e2efa2ae682faa71c5d4410788696b80227312768f6fdafc399e7df98c8a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF128 5124 bytes
font_01_sfnt_off0001027f.bin
8b3f0d4a4cc3f2ac14f2a33650d826d3785b06399d41785c057c2ecaf9a8004a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1027F 11684 bytes
font_02_sfnt_off00012a70.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A70 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.