Malicious PDF — malware analysis report

Static analysis result for SHA-256 770498887e9e90fe…

MALICIOUS

PDF

181.3 KB Created: 2021-03-16 18:21:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 52b5f9ba96fed3c68e79fe5f3f12cf96 SHA-1: 970b3e1a4dd1d853b62173f4440871075f06c40f SHA-256: 770498887e9e90fe87a77de2218055fa12d477d267715672ce7841af3a199ec9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, identified by both heuristics and ClamAV as malicious. The ML classifier also flagged this PDF with high confidence. While no scripts were explicitly extracted, the presence of an external URI suggests an attempt to redirect the user to a malicious site, likely for phishing or to download a secondary payload. The document body is heavily obfuscated and unreadable.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9628

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=langmuir+circulation+%25E4%25B8%25AD%25E6%2596%2587
    • http://pasetbs.xyz/442134185276l4q6.pdf
    • https://cdn-cms.f-static.net/uploads/4470985/normal_601002cdd451c.pdf
    • https://static.s123-cdn-static.com/uploads/4498324/normal_5fc7faca4711c.pdf
    • http://inglassrus.ru/parmenides_theory_of_realitybp8jy.pdf
    • http://7gusevshop.space/ice_cream_runtzjnqn5.pdf
    • http://gozatelaji.22web.org/geweniniwixajivexov.pdf
    • https://cdn-cms.f-static.net/uploads/4366388/normal_60462b9ccdca5.pdf
    • https://cdn-cms.f-static.net/uploads/4409628/normal_6016101f3ab64.pdf
    • http://checkmyscore.info/56950436455czg3k.pdf
    • https://deremufirig.weebly.com/uploads/1/3/4/8/134854029/17a41752a44c3ed.pdf
    • http://visanekis.iblogger.org/siwexobesirabidalebabop.pdf
    • http://creditinquiry.info/simple_sample_treasurers_reportmv3cm.pdf
    • https://static.s123-cdn-static.com/uploads/4416935/normal_5fec0a46cf4b2.pdf
    • https://tiwudusakuwizir.weebly.com/uploads/1/3/1/6/131637104/tobuvosewon.pdf
    • http://jabekigufu.22web.org/golds_gym_trainer_420_belt_adjustment.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/farokof/what_is_the_lowest_tint_you_can_get_in_florida.pdf
    • https://s3.amazonaws.com/gezejoputiwinu/diporavedokidejabu.pdf
    • https://uploads.strikinglycdn.com/files/215f7e82-d0b2-477c-b1f0-8d9e90594fde/gomujefifewozi.pdf
    • https://uploads.strikinglycdn.com/files/c9eb9c32-ca56-46a1-99ce-9b85cbbb0248/2017_lexus_rx_350_f_sport_price_in_nigeria.pdf
    • https://s3.amazonaws.com/xanunafojuloki/8088039095.pdf
    • https://uploads.strikinglycdn.com/files/0fd41d15-42b2-496e-958f-6b5a64ecb034/how_to_build_a_death_star_in_minecraft_easy.pdf
    • https://s3.amazonaws.com/nijosinizo/how_to_make_your_own_soda_machine.pdf
    • http://gapitufukiwiti.epizy.com/dagannoth_slayer_guide_rs3.pdf
    • https://s3.amazonaws.com/kudowo/46648162293.pdf
    • https://uploads.strikinglycdn.com/files/481736ad-0f49-4b51-b303-bed3145c377e/gta_v_3dm_crack_v4_download.pdf
    • https://uploads.strikinglycdn.com/files/9e662ca3-d555-462c-b044-cc3cc5e59c3b/temutagigojafekazisipak.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://faculty.gvsu.edu/videticp/langmuir.htm
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012606.bin
b3b5640c18b64875edf3cbbbe1ac399a323f28ce6029db8df94a3370166fac7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12606 105700 bytes
font_01_sfnt_off00025acf.bin
31a7c526988a7be2ccd0a44e21e48c33e90714b14e453b0dad9e2e322c4d8857		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25ACF 3112 bytes
font_02_sfnt_off000265d4.bin
f69ff1bc534084a9689f7c081ac804599e3fbcc03d7c56adfb85b80a9fcc1751		 pdf-font-stream PDF embedded font (sfnt) at offset 0x265D4 4648 bytes
font_03_sfnt_off00027577.bin
fe9e9831efb5d00d4745d96a336ced6a274130771e91c808e644fa4b8ab568c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27577 12456 bytes
font_04_sfnt_off0002a063.bin
bf5920f6536557082646c141d9747a53291bccf71937d223b8450c3d801b07b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A063 16336 bytes
font_05_sfnt_off0002b634.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B634 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.