Malicious PDF — malware analysis report

Static analysis result for SHA-256 65682dc3f696f8b8…

MALICIOUS

PDF

84.7 KB Created: 2021-06-01 09:32:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1758f3485adea47d869e746858fdca7f SHA-1: ceba74ff5149a0507f3376c723eab525d7680d3a SHA-256: 65682dc3f696f8b8d37d9f5346f0d36e38cebefda6528b16b72685b42c5dd025
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that mimics a search engine result, likely to trick users into visiting a malicious site. ClamAV and ML classifiers strongly indicate malicious content, and the PDF structure includes external URI references. No scripts were extracted, but the overall pattern suggests a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wastran.ru/pbw?utm_term=what+is+the+meaning+of+platypelloid+pelvis
    • https://cdn-cms.f-static.net/uploads/4383801/normal_6058ccb6a99db.pdf
    • https://cdn-cms.f-static.net/uploads/4384155/normal_60615c916ce38.pdf
    • https://static.s123-cdn-static.com/uploads/4366020/normal_5fc810cdc90b4.pdf
    • https://static.s123-cdn-static.com/uploads/4449395/normal_5fc985382abe5.pdf
    • https://cdn-cms.f-static.net/uploads/4443325/normal_60588a5b2b14a.pdf
    • https://cdn-cms.f-static.net/uploads/4413454/normal_6063df7e5de87.pdf
    • https://cdn-cms.f-static.net/uploads/4390323/normal_601b10c347948.pdf
    • https://cdn-cms.f-static.net/uploads/4445877/normal_604b21f33cdb4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/37a336bf-3b9e-4d98-b915-9a2ed1612808/gujinadavojixof.pdf
    • https://uploads.strikinglycdn.com/files/d52e4eb6-77ab-4c1b-8824-261ffa52097f/dugikevulod.pdf
    • http://xetibubib.pbworks.com/w/file/fetch/144418017/how_to_pass_minnesota_road_test.pdf
    • http://nusuwoxub.pbworks.com/w/file/fetch/144427152/how_do_you_reset_a_honeywell_home_thermostat.pdf
    • https://uploads.strikinglycdn.com/files/dcc05434-7873-4a31-a2a3-9006505b0d20/the_language_of_god_chapter_summary.pdf
    • https://uploads.strikinglycdn.com/files/bdd51ddd-0a09-463f-99a1-fdcbba3fecba/free_sewing_patterns_for_womens_shirts.pdf
    • https://uploads.strikinglycdn.com/files/5b14ff30-a1a3-4fe9-add5-440088f16da8/38233769447.pdf
    • https://uploads.strikinglycdn.com/files/43807114-1f30-4bea-96a4-132c24c91b25/73417104499.pdf
    • https://uploads.strikinglycdn.com/files/03c75d49-e99c-4435-b701-fb724063cb45/what_is_a_yamaha_clavinova_piano_worth.pdf
    • https://uploads.strikinglycdn.com/files/f2efe415-a25f-404d-b080-d132eab2d125/43716843192.pdf
    • https://uploads.strikinglycdn.com/files/fb9e5d0c-ef43-4242-a8fb-3fe4358e3037/hp_folio_9470m_elitebook_price.pdf
    • https://uploads.strikinglycdn.com/files/f69b1596-168c-4405-b657-85df29735ba6/88797226006.pdf
    • https://uploads.strikinglycdn.com/files/eae35b03-6e6d-46be-ba2f-7660ab8f3dfc/47321220059.pdf
    • https://uploads.strikinglycdn.com/files/736c5832-4c5f-4416-9306-4b585cf1d002/pepikoroxazukibudo.pdf
    • https://uploads.strikinglycdn.com/files/ce1deecb-503a-42dd-9151-d54f377aeb30/grille_salariale_convention_66.pdf
    • https://uploads.strikinglycdn.com/files/7279afea-d559-4d3b-9057-f9bbc30274f3/should_i_use_shopify_or_wix.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f773.bin
d050a7f5e67882084bfa80467c753624e1f69e2cac69485f30f506afc5eeb710		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF773 5532 bytes
font_01_sfnt_off00010a3c.bin
1157ea5ac748439cc07ceffb61f746cc0a34d07335c1cdd3634c10cd908be74c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A3C 11224 bytes
font_02_sfnt_off00013018.bin
8f6ddafd3b0ce2004b9503adf603897a58143e210ca714e8dcfcba1b249cf112		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13018 16080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.