Malicious PDF — malware analysis report

Static analysis result for SHA-256 6645cc05fa8aa410…

MALICIOUS

PDF

86.1 KB Created: 2021-03-21 22:59:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 701be0c9da6c361c718e281299a15f2c SHA-1: 856e4a93e6fa6be5834ffdcf32baf215f8620238 SHA-256: 6645cc05fa8aa41041a484e69bea15a202639b3e3df821b2cce9972666f940b6
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was flagged by a machine learning classifier and ClamAV as malicious, with specific heuristics indicating it is a callback phishing lure. The document body, though heavily obfuscated, contains text related to cybersecurity and a date, suggesting it is a lure document. The presence of embedded URLs, such as https://maypoin.ru/wix?keyword=cybersecurity+minor+tamu+reddit, further supports the phishing and social engineering attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=cybersecurity+minor+tamu+reddit
    • http://itverys.space/vonufezezojeouh8x.pdf
    • http://kadabafomelu.66ghz.com/get_excited_crossword_answer.pdf
    • http://opt15.ru/unity_game_creator_download_for_androidhoxq9.pdf
    • http://beamorem.com/musamepuslik5y.pdf
    • http://pihodze.com/how_to_install_sensi_thermostat_without_c_wirexafxy.pdf
    • http://ig-verifiedsbadge.com/binowisodopewipurokitoud8zp.pdf
    • http://getallcreditscores.info/91497126791wgzva.pdf
    • http://shoop-fn.ru/retro_9_racer_blue_outfitrg9s2.pdf
    • http://creditscoretracking.info/tifevidewuzorofuzicoz9w.pdf
    • http://otomail.business/network_security38r4k.pdf
    • http://pokemonrivals.online/moviescounter_movie_2018_movies_page_2uyn6j.pdf
    • http://rojorose.iblogger.org/67817730592.pdf
    • http://natiral.space/lamuvinafanoga8pvzd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://51956041-da35-40aa-96c1-085c1f47c80d.filesusr.com/ugd/e6e573_21bf007edbd74421840c216dcc8753df.pdf?index=true
    • http://sofikej.rf.gd/2770004204.pdf
    • https://ad323f3e-245e-4e3c-8b16-de91fefec063.filesusr.com/ugd/5ea691_d4686f556c61478aa5122487a054e148.pdf?index=true
    • http://fojiresov.epizy.com/saaho_box_office_collection_telugu.pdf
    • https://f110cc6a-49d6-427c-9ab6-a3a4d323b004.filesusr.com/ugd/9e53d4_f9752df68cc84e7a8fa4961e758c2c5f.pdf?index=true
    • https://435a888a-8f80-410d-aa77-77edd6e4491d.filesusr.com/ugd/51fec0_b198a4e69e8547c58afe0b87d467112f.pdf?index=true
    • http://kodelusewa.epizy.com/zobuvaredez.pdf
    • https://69a21580-3c80-4f81-8097-1ec0bc18215d.filesusr.com/ugd/bd7df1_c9dede63f7164217b573e9208efa0190.pdf?index=true
    • http://dipubuwefo.epizy.com/19287629508.pdf
    • http://muresapidun.epizy.com/catalogo_hinode_2018_ciclo_4.pdf
    • http://mipalex.rf.gd/8799913148.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fae0.bin
699b4b46dd70e0a55093da1576dbb04ae82b772557b6da3b0a60f84da83d604b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAE0 5200 bytes
font_01_sfnt_off00010c73.bin
30c0e9d673480303bf6c859b2901edb136f709fdf79a5e9a4a6e914e06fab312		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C73 11592 bytes
font_02_sfnt_off0001341d.bin
6f17b99764d671a96c0d2fd0b5f339513c2ddbf7efa5d755f63b897ad21dd613		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1341D 16064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.