Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bdef521cf857d4a…

MALICIOUS

PDF

113.3 KB Created: 2021-04-12 14:53:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: af5b033e75142d07cf9709c6fb600f10 SHA-1: db22882b26da9c80a29343f867c872c5d47c40d2 SHA-256: 6bdef521cf857d4a382528c67e8948bda47bacccaba787487183270dfaa44eb6
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI that directs the user to a suspicious domain, likely for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it's designed to trick users into visiting a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9765

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/strik?utm_term=what+does+clarion+mean+in+spanish
    • https://cdn.sqhk.co/baruduwege/Ngfuifc/train_simulator_games_for_mac_free_download.pdf
    • https://cdn.sqhk.co/tagisojitilu/8hfibGG/philips_hue_motion_sensor_manual.pdf
    • http://hookup154.site/7049938505334tj.pdf
    • https://cdn.sqhk.co/ganuniwiku/asHihVT/rufojinupolaw.pdf
    • http://on-arenas.com/muziwurasatig3m.pdf
    • https://cdn.sqhk.co/suzeboxiwo/fibH1bn/14101334563.pdf
    • http://topcreditscore.info/google_sheets_append_api7nxms.pdf
    • http://timecodes.net/tupac_shakur_mp3_musicqsgns.pdf
    • http://premial.su/18574583446vc59w.pdf
    • https://cdn.sqhk.co/zipodumup/ifggiin/49713275036.pdf
    • http://aydym.club/adobe_after_effects_cs6_free_downloa2j2yi.pdf
    • https://cdn.sqhk.co/kadunila/gdiejg8/rafinisopot.pdf
    • http://priz24.site/gipedws71a.pdf
    • https://cdn.sqhk.co/nisugavu/dKghfjh/tobiteluropazipur.pdf
    • http://visionnew.xyz/krte_mevlt_okuyan_ouk_kimrv0z6.pdf
    • http://hs-life.ru/2011_dodge_avenger_problems8tjgm.pdf
    • https://cdn.sqhk.co/dibitarebizu/j52pPNZ/craftsman_tool_box_set_for_sale.pdf
    • https://cdn.sqhk.co/kixowijeka/Cgcxgji/romantic_video_status_for_whatsapp_sharechat.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/ebd15546-d1b8-4db5-82a2-369f5377db35/kifivafoperub.pdf
    • https://uploads.strikinglycdn.com/files/31b86b8f-8e83-4569-9e2d-7453d8792d47/67378127348.pdf
    • https://uploads.strikinglycdn.com/files/3d728c7b-89d4-4cd0-b348-bf216845c41e/gogidozemogasukolokukuboj.pdf
    • https://uploads.strikinglycdn.com/files/92e921ca-5604-4a02-ac8e-b061e952e754/pijoriritik.pdf
    • https://uploads.strikinglycdn.com/files/3010b4d2-4208-46dc-9857-b1dac0d57986/can_you_draw_on_a_samsung_tablet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fefb.bin
e4cb43edc1835bdcb258eca674e8d85b98e298d0b78c45dc3b6bb6afb4cdcdca		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEFB 5364 bytes
font_01_sfnt_off000111e0.bin
7368f98f1324ba7bf72863f99a4ede5b9b5082358f1b574ea7cbd426e2a6191d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111E0 5324 bytes
font_02_sfnt_off000123da.bin
c6049ee2dafb2179391ac61d08a2bada88cc5df1b1ec70d55cc54ee5833f4c23		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123DA 4216 bytes
font_03_sfnt_off000133d0.bin
591996045102f06f3da6bf916718b2e105589360d111ac60a6086a6e243aaf96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133D0 4868 bytes
font_04_sfnt_off0001437a.bin
f0e4c5bb0ab79957f0c7cd90f7cb8ae798a798a0e49eca67f830cfe55d3bbebf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1437A 3984 bytes
font_05_sfnt_off000152df.bin
b4956466e96b7140b43e40756f520cd3478c143d4d158add3f30e7b3c3dcdaf5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x152DF 18144 bytes
font_06_sfnt_off00018acb.bin
835704739808e2b870537533ad5929b3744b47429e08e98fd81fbdcb3789f6cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18ACB 17248 bytes
font_07_sfnt_off0001a474.bin
2ec4774ca11dbf4ef552daf626afa5093d40eff3e1221e899f2de77b80f4e4b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A474 4012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.