Malicious PDF — malware analysis report

Static analysis result for SHA-256 74f9312d1be218f6…

MALICIOUS

PDF

89.9 KB Created: 2021-05-26 11:25:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-13
MD5: ee33fc782b257bd8eaf5d2ad20ced630 SHA-1: 94df67b7cc58e8d6df8bfe6b3387a6f21754e10c SHA-256: 74f9312d1be218f6b9ddd92428bb001f64a29031c0600b1d5ed4b77a1c83ba1a
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic indicating it's a phishing lure for a free download, directing users to a suspicious URL. The ML classifier and ClamAV detection strongly suggest malicious intent. Although no scripts were extracted, the PDF structure and embedded URI point to a phishing attack designed to trick users into visiting a malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/strik?utm_term=fluid+mechanics+8th+edition+white+solutions+manual PDF link annotation
    • http://testbanklive.coIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/72a25ffa-b90c-452b-942d-8dc8788b2eb8/coleman_powermate_vantage_5000_parts.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0fb87403-5243-4385-8b6c-a06b024d4c85/xozuxamano.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c923065b-d120-4b88-921b-30bf315d5513/how_do_i_love_thee_poem.pdfIn PDF document text
    • https://s3.amazonaws.com/punurum/functional_training_routines.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c0e904ad-1a15-4d6a-86fb-5bb78fed2bbe/23737405192.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/66e5b154-2e0f-4c2f-b016-84eb12a32c64/homemade_hydraulic_tube_bender_plans.pdfIn PDF document text
    • https://s3.amazonaws.com/pegebunov/13974699735.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e2736f29-fe9f-487c-a74e-339797a138e2/vavepiviwogagovatebolis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9c5f3780-33e1-494a-8c12-4d4ceaabfb6b/computer_network_architect_courses.pdfIn PDF document text
    • https://s3.amazonaws.com/jevopemosod/cylindrical_equal_area_projection.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0458c7e-1b9c-4553-8800-6fadd2cdf9c0/wibumugenofewojegewamof.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9e85de63-bdba-44af-af27-2ba98491c84a/45500935997.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a0591214-8810-4616-b36c-9aa2a6dab57d/dujinonekadusiwune.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4360b5db-47f2-4f56-8324-df8634e0a80f/29979851771.pdfIn PDF document text
    • https://s3.amazonaws.com/jolunenafobuw/nesufutebol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ecc9c4c9-a1c5-430b-906f-c1882df2ab12/fedex_nyc_near_me.pdfIn PDF document text
    • https://s3.amazonaws.com/satuja/cdac_ccat_exam_form.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2786e4dc-06d5-4f0e-9951-14dfd2d1dbae/ragatadul.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9facb28e-9b7d-4594-a91e-ff5bcdf3dee6/admiral_gas_dryer_not_heating.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fdfd5a32-4909-4047-aff7-5c70608bb689/you_have_won_the_victory_william_murphy_mp3_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8a204310-6e21-4792-a341-15ae1f549d5a/how_to_trade_cryptocurrency_and_make_money.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f159a86e-a10b-4fb2-8d20-103f76fb14c7/zekuwujabinu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/faa2cff9-6c12-46a8-8ede-09a785a67082/6098047882.pdfIn PDF document text
    • https://s3.amazonaws.com/fowonaxul/27169491655.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011c8f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11C8F 5324 bytes
SHA-256: a7711b92608b35d125c3f137879698786ab51ac6c767843d3ff58126c2bfec6d
font_01_sfnt_off00012e92.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12E92 12676 bytes
SHA-256: 6b75179201eb2a39788948a251e1e3a92bcc885a3e2aaf63b0a25a635d2a4e40