Malicious PDF — malware analysis report

Static analysis result for SHA-256 6667a4e9e7963147…

MALICIOUS

PDF

64.6 KB Created: 2020-12-03 09:43:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ee26cc02d188d4c4832e276410d14372 SHA-1: 2c33e122627ca03fc3f178edc4170fd643726a4c SHA-256: 6667a4e9e796314705325d6c187404c064c710246574252e03621ed28f81a7d0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a phishing site. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest it's designed to redirect users to a malicious domain for potential exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=how+to+summon+bosses+in+ark+cheat
    • https://cdn-cms.f-static.net/uploads/4462974/normal_5fabddef2a66c.pdf
    • https://cdn-cms.f-static.net/uploads/4417318/normal_5fbc1ed326921.pdf
    • https://cdn-cms.f-static.net/uploads/4422640/normal_5f9a033edcaa5.pdf
    • https://cdn-cms.f-static.net/uploads/4375694/normal_5f9c78453c0d2.pdf
    • https://cdn-cms.f-static.net/uploads/4373259/normal_5f8b4a9d2c944.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3aadc282-6ae7-4b1d-af54-2f7e7c2b6e57/13408745128.pdf
    • https://s3.amazonaws.com/genukopapovixo/30285370857.pdf
    • https://uploads.strikinglycdn.com/files/0b8b5a08-8294-44dd-beeb-08f18138f2a5/counter_strike_1._6_server_indir.pdf
    • https://uploads.strikinglycdn.com/files/3add194e-b5d9-4cd0-aa88-fd0ee692fea3/iphone_schematic_gsmhosting.pdf
    • https://s3.amazonaws.com/paropabaru/oceanography_merit_badge_worksheet.pdf
    • https://s3.amazonaws.com/bejenosugede/rationalization_definition.pdf
    • https://uploads.strikinglycdn.com/files/ede8ebce-ffda-4273-ada6-c10d5180cf1d/4336004300.pdf
    • https://s3.amazonaws.com/wibadinavosunom/python_create_word_document_from_template.pdf
    • https://uploads.strikinglycdn.com/files/558da66c-e208-4222-9025-789ab3ef0e02/9005999388.pdf
    • https://s3.amazonaws.com/zirojopemup/67666412997.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bfbc.bin
76ec25e700702e3995fe0aae8e00402b596de0aefabbdf38d66d722d04efe017		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBFBC 5264 bytes
font_01_sfnt_off0000d184.bin
2a11994776914983f4cc0f020cb4b3d96eb183b6b6de665dcb1a43643c8cc999		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD184 10636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.