Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bbdb74cb8577746…

MALICIOUS

PDF

84.6 KB Created: 2021-03-24 19:55:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ab76840ab9a0e34ecce73e4b2d445c4d SHA-1: bf6f546d093ef07e476dce49c6f7984f5277d92c SHA-256: 6bbdb74cb85777461a1360fb29afa7a35c894e0f104ee156b68c619e77e16815
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that directs to a suspicious domain, likely intended for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest it's designed to trick users into visiting a malicious site, possibly by masquerading as a legitimate document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=what+gre+score+do+i+need+for+psychology+grad+school
    • http://pebifakonek.sportsontheweb.net/xokonexodekepozefiz.pdf
    • https://static.s123-cdn-static.com/uploads/4369930/normal_5fe31f01ba7eb.pdf
    • https://nedidibizexoba.weebly.com/uploads/1/3/0/9/130969065/e2c8729456.pdf
    • https://cdn-cms.f-static.net/uploads/4484118/normal_603659f88cc55.pdf
    • https://sajulivos.weebly.com/uploads/1/3/1/1/131164476/4dfde2db6c84.pdf
    • http://bukobaxaz.getenjoyment.net/jaxevikamupafug.pdf
    • https://cdn-cms.f-static.net/uploads/4408352/normal_603bf0718ae83.pdf
    • http://xoziduso.mypressonline.com/solapur_university_result_2020_b._com.pdf
    • https://pasazobunev.weebly.com/uploads/1/3/4/6/134670772/25fd61b4642de2.pdf
    • http://zugasanuko.getenjoyment.net/46527331721.pdf
    • http://idealicaitalia.website/28517122724fhbhp.pdf
    • https://kikizesojumare.weebly.com/uploads/1/3/4/7/134718780/ketiwujurasitaz-poromux.pdf
    • http://dobilarujokux.sportsontheweb.net/batman_death_in_the_family_online_sa_prevodom.pdf
    • http://ppl-nutrshopfit.website/55816694609vavvm.pdf
    • https://mufirurinonezu.weebly.com/uploads/1/3/4/6/134669904/begad_nafirenutejuv.pdf
    • http://vajesafosedepur.mywebcommunity.org/88468021111.pdf
    • http://fukerijinexin.mygamesonline.org/nojiwupireponiwebomepis.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://gogujigasad.onlinewebshop.net/73654814273.pdf
    • https://uploads.strikinglycdn.com/files/b404b519-2e44-4979-b44c-93eaf805ec47/what_is_the_significance_of_the_supreme_court_decision_in_marbury_v._madison_quizlet.pdf
    • https://uploads.strikinglycdn.com/files/ada1d077-8c2e-42d1-9c21-882a48576696/ford_e350_diesel_cargo_van_for_sale.pdf
    • http://resilasijajatil.myartsonline.com/how_much_does_a_physics_engineer_make.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001010f.bin
1aa4bc83a090e9d81603f5e69b1fa2a5c9ec30f8e2a36a1801c490f16f7eeeeb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1010F 5320 bytes
font_01_sfnt_off00011332.bin
b419f6186e0af5f7efd15a07b32e090a09c24ec6e8232c8e8178f9f8cbc78f06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11332 10444 bytes
font_02_sfnt_off0001369d.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1369D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.