Malicious PDF — malware analysis report

Static analysis result for SHA-256 6fa5c51c7bc65c93…

MALICIOUS

PDF

330.6 KB Created: 2021-04-08 08:44:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: a996e5e433302a06c8ad3f04916c4e2e SHA-1: 05ad8b76075d72386b0301ad64e92a00b949f180 SHA-256: 6fa5c51c7bc65c93f1e3e6165abdb1ebc47f48df0d29c3ee8ee6b051dcb943fa
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains critical heuristics indicating it's a lure for recovery secrets or private keys, consistent with phishing or scam tactics. While no scripts were explicitly extracted, the presence of external URIs and the ML classifier's flagging suggest malicious intent, likely to download a secondary payload or redirect the user to a credential harvesting site. The ClamAV detection further confirms its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7912

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/123?utm_term=wordalot+answer+level+241 PDF link annotation
    • https://forelidik.weebly.com/uploads/1/3/0/7/130775511/begopukofenarexug.pdfIn PDF document text
    • http://erethiztzj.space/pujukexotupayo4dd.pdfIn PDF document text
    • https://nugubigu.weebly.com/uploads/1/3/5/3/135323865/gopamolalu_tupamadis_safigu_betaredewudovu.pdfIn PDF document text
    • http://ita-yog.space/ginezenanalilozuguf7n85.pdfIn PDF document text
    • http://ctuxuu.com/pudigorasupamudabesnnik3.pdfIn PDF document text
    • http://helper-badges.com/602239077070q8n0.pdfIn PDF document text
    • https://nobibiraxofos.weebly.com/uploads/1/3/4/9/134904538/f3c20a5bad6dd3a.pdfIn PDF document text
    • https://biparobotimipus.weebly.com/uploads/1/3/4/4/134498468/nisomubatigugesaso.pdfIn PDF document text
    • http://pifedalune.medianewsonline.com/29392505429.pdfIn PDF document text
    • https://kidamevu.weebly.com/uploads/1/3/1/4/131437276/6082846.pdfIn PDF document text
    • http://update-win20.online/can_a_single_person_living_alone_claim_head_of_householdgt0ou.pdfIn PDF document text
    • http://tamasolesodaj.mypressonline.com/cadena_de_valor_porter.pdfIn PDF document text
    • https://ridogorizaloliv.weebly.com/uploads/1/3/4/5/134527302/7495f45a.pdfIn PDF document text
    • http://tebeririz.scienceontheweb.net/bestiariusz_warhammer.pdfIn PDF document text
    • http://mbfsopg.com/pet_jumping_spider_dietzpe66.pdfIn PDF document text
    • https://bunivuwavimi.weebly.com/uploads/1/3/4/7/134706582/4611294.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://s3.amazonaws.com/jeromisixinolib/burger_king_menu_prices_and_deals.pdfIn PDF document text
    • https://s3.amazonaws.com/juzinaramip/25762093123.pdfIn PDF document text
    • https://s3.amazonaws.com/zuguvoxoki/kogipolibufufojuv.pdfIn PDF document text
    • https://s3.amazonaws.com/wufujudisu/probe_master_4234_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/rakabexozu/joseph_haydn_trumpet_concerto_in_eb_3rd_movement.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off0004e025.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4E025 19484 bytes
SHA-256: d0bae9e941acdc0ed8c3101ee71b516673f25a8853de1d2e08ff2694890a7799
font_00_sfnt_off00048ad1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x48AD1 3528 bytes
SHA-256: ce3e0a471d28eebbb901ed1853757853c74237a3f8d5b81ea699f838714cefda
font_01_sfnt_off00049782.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x49782 4996 bytes
SHA-256: 93a4a789be9ef425759f467cf2b537f817840085f3f3c94a3230bb78c207166e
font_02_sfnt_off0004a8b4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4A8B4 19688 bytes
SHA-256: b4ab38bbf7ba9784abda16e1f46590ca35fae9184c5a3cfcf6c21ffbe4558ad1
font_04_sfnt_off000500c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x500C9 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3
font_05_sfnt_off00050eca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50ECA 2752 bytes
SHA-256: eff260de515204b09a9ef4db25a41e244ce4353b3dccb5a2a8fc415043b9e3a9

Open this report in the interactive analyzer, or submit your own file for analysis.