Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c90755c753385a8…

MALICIOUS

PDF

76.4 KB Created: 2021-03-21 09:20:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8426ad6619ff4a5e1399af3e4233acd1 SHA-1: be1f833c36d47233e3892d7772f509ab7b5f5fdc SHA-256: 6c90755c753385a869d2dedfbbf7dae57b9bcf73a40c1687e34a2b81413ffeb4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that exhibits characteristics of a phishing lure, referencing a popular product to entice users. The presence of external URIs and the ML classifier's high confidence score indicate malicious activity. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it may attempt to download or redirect to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=costco+tri+tip+seasoning
    • http://damvglaz0.xyz/applied_linear_regression_4th_editioneyt8f.pdf
    • http://onatural.space/pretul_nesocotintei_mary_balogh_download658pm.pdf
    • http://my-favshopd.online/husqvarna_yth_150_deck_belt_diagramla5b5.pdf
    • https://cdn.sqhk.co/suwuwewazaka/heUYkYp/vrn_nextbike_login.pdf
    • http://zzzmmmmejjj.space/47661106279o822f.pdf
    • http://it50life.pro/86632658751k1s68.pdf
    • https://zirodamabesad.weebly.com/uploads/1/3/0/7/130740068/9076624.pdf
    • https://cdn.sqhk.co/desixurate/heOijbd/chicken_sounds_mp3_download.pdf
    • https://newadagunezadev.weebly.com/uploads/1/3/4/6/134684801/7799b.pdf
    • https://cdn.sqhk.co/juvebuzizej/jGyMhbb/4257487994.pdf
    • https://cdn.sqhk.co/rabataxuvax/hgibwie/54190351723.pdf
    • http://wojesukuzak.mygamesonline.org/how_to_prepare_for_a_very_important_interview.pdf
    • http://fatukawudel.iblogger.org/keturebosubora.pdf
    • https://gokuxevi.weebly.com/uploads/1/3/4/0/134017514/tukitoxafufosanap.pdf
    • http://gatowixipeba.mywebcommunity.org/introduction_to_management_accounting.pdf
    • https://xelopapet.weebly.com/uploads/1/3/0/7/130775154/2827410.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://42190e62-4dca-482d-a077-ae7b222d7779.filesusr.com/ugd/b91392_c220efba9c404d2ba8f145dbda3ec9c0.pdf?index=true
    • https://f608bf75-187c-4b28-9621-af925c05c2b6.filesusr.com/ugd/05e3ad_02cfdc10286a4c60b74cf3cf1da09a4b.pdf?index=true
    • http://samupuvigerolo.rf.gd/bumetilifikapidoripat.pdf
    • http://sinusisokopex.atwebpages.com/who_owns_lawn_boy.pdf
    • https://591379ed-26d0-4405-baa7-5b8dadede013.filesusr.com/ugd/866ffa_3d3d9fc9b30d4640ae6088384b2c152b.pdf?index=true
    • http://moraruvotu.epizy.com/ssc_je_admit_card_2019-_20.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e400.bin
50a2d3e20ff75f0ba5cfb0e31d7e8c4e66ab70ddcfa784e6a7b53ca8e3349468		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE400 4972 bytes
font_01_sfnt_off0000f4f2.bin
6d2a3a16cc464ce72cf05976c7f96a31c93af2202e0dc760c37a694345e222ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4F2 1800 bytes
font_02_sfnt_off0000fd82.bin
90b8c4e820bba8fd86669b3b4e13b807087af73c5ea891d782c5de23b983d16c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD82 11176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.