Malicious PDF — malware analysis report

Static analysis result for SHA-256 65253b4c2d38fcb6…

MALICIOUS

PDF

77.6 KB Created: 2021-04-21 19:20:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 73e3ef17e20d8445e6d14a9742f73a1f SHA-1: 72ac1ed9410bf15282a48a1dc992643d1a1fa58c SHA-256: 65253b4c2d38fcb6cd5b5bcbac817cdb8df22a0be152b4ad5c49c316eb43e55c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL pointing to a suspicious domain, likely intended to host a malicious payload or redirect the user to a phishing site. The document body, though heavily obfuscated, suggests a lure related to scientific or technical information, which is a common tactic for phishing and malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=shear+rate+blood+flow+velocity
    • https://cdn.sqhk.co/vugomupuzisa/3mqiNhe/5836833552.pdf
    • https://cdn-cms.f-static.net/uploads/4413002/normal_6009b75108ac7.pdf
    • https://cdn-cms.f-static.net/uploads/4387718/normal_601a364c8cb02.pdf
    • https://static.s123-cdn-static.com/uploads/4377112/normal_6000a090c043c.pdf
    • https://duveniwapawas.weebly.com/uploads/1/3/4/2/134265961/wesoruko.pdf
    • https://cdn.sqhk.co/gufemazibafi/GtjgLif/running_shoes_black_friday_south_africa.pdf
    • https://tudegikugil.weebly.com/uploads/1/3/5/3/135317618/058b6.pdf
    • https://cdn.sqhk.co/seseniluvus/ghCIehf/dimuwijexav.pdf
    • https://cdn.sqhk.co/jomububorava/w4haUHg/slice_dice_chop_or_julienne.pdf
    • https://static.s123-cdn-static.com/uploads/4387919/normal_5ff50ae1cd860.pdf
    • https://cdn.sqhk.co/woselukafo/cgfgh6p/playground_games_forza_horizon_4.pdf
    • https://cdn-cms.f-static.net/uploads/4423780/normal_5fd8f51e4e2e5.pdf
    • https://xuzimelo.weebly.com/uploads/1/3/4/1/134132070/425444d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/sajatofubote/60851462344.pdf
    • https://s3.amazonaws.com/dozuga/mivadofewexu.pdf
    • https://s3.amazonaws.com/fajeloninesitel/mipumonurowosizo.pdf
    • https://e5b7f393-9b83-42c5-a877-5b85c0c772c8.filesusr.com/ugd/77b42d_a938356388fc485aa74a40bea5c46743.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ef58c7d9-a574-44d2-a745-51b090c51c32/gamenozejetelexogeru.pdf
    • https://uploads.strikinglycdn.com/files/1c45e13e-1bb5-4238-ae3f-e01f46c582c8/why_is_my_xbox_one_disc_not_ejecting.pdf
    • https://uploads.strikinglycdn.com/files/645f51aa-6bd1-493f-b72a-1e8c395cd5a4/gagaj.pdf
    • https://s3.amazonaws.com/fexuror/6913601035.pdf
    • https://uploads.strikinglycdn.com/files/9c2d0ab4-a468-49c6-833c-ab41c0a1d03a/6070497835.pdf
    • https://d5bea983-5bca-41ba-aae6-6b688785cc77.filesusr.com/ugd/9ec29b_1bac3ec99ca54616a43d676ead875f43.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efab.bin
4baafaecdc104a96d38bce20212e23578420dfe67e5f304b85ae9b93c344294e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFAB 5428 bytes
font_01_sfnt_off0001023a.bin
8d21122e6b21c65120466ea75b0eb45143ec44d7411054f2e67e588d71314852		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1023A 11388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.