Malicious PDF — malware analysis report

Static analysis result for SHA-256 77a6c70b6c42c43b…

MALICIOUS

PDF

77.5 KB Created: 2021-04-08 00:02:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ebe1adb57a1d96d7a2075f5e645455c1 SHA-1: db196873b648488ed26f9748aac4775c51ddc7cb SHA-256: 77a6c70b6c42c43bad65221305f2ec214d8c99069c10e2e89942c48c5058c1eb
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic indicating an external URI, which points to a suspicious domain. The ML classifier and ClamAV detection strongly suggest malicious intent, likely phishing or malware distribution. Although no scripts were explicitly extracted, the presence of an external URL and the nature of the heuristic firings indicate an attempt to redirect the user to a malicious site, potentially for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=how+to+program+le+bistro+cat+feeder
    • https://static.s123-cdn-static.com/uploads/4447251/normal_5fc8ac663d3e7.pdf
    • https://cdn-cms.f-static.net/uploads/4457592/normal_6025308969085.pdf
    • https://lemusudavigi.weebly.com/uploads/1/3/5/3/135395292/jegid.pdf
    • https://zodazapel.weebly.com/uploads/1/3/4/5/134511258/motagavipo.pdf
    • https://cdn-cms.f-static.net/uploads/4455194/normal_60361e08c01b0.pdf
    • https://static.s123-cdn-static.com/uploads/4459922/normal_5fefd5b362b22.pdf
    • https://cdn.sqhk.co/tifobebe/bB48Ggi/womugoziwopuzimuz.pdf
    • https://static.s123-cdn-static.com/uploads/4459482/normal_5fceb2b197d10.pdf
    • https://cdn-cms.f-static.net/uploads/4426696/normal_602c0bc86b783.pdf
    • https://cdn-cms.f-static.net/uploads/4482012/normal_5fea2f9d3aed5.pdf
    • https://cdn.sqhk.co/jawutuwek/PhhcOuR/prison_break_season_6_episode_1_full.pdf
    • https://xogofabilubawe.weebly.com/uploads/1/3/4/7/134710923/javuwul.pdf
    • https://wujumumokujot.weebly.com/uploads/1/3/4/6/134613036/7241313.pdf
    • https://cdn.sqhk.co/rukefazox/bxIidXg/ensayo_del_neoliberalismo_en_mexico.pdf
    • https://jitivafume.weebly.com/uploads/1/3/0/9/130969372/suwoxe_mimepumitotosi_kubupi.pdf
    • https://cdn.sqhk.co/kolazapikib/htBgdNn/gastric_cancer_guidelines_nccn.pdf
    • https://cdn-cms.f-static.net/uploads/4367312/normal_5fd785259fae0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/dobikasukavu/parallelism_examples_sentences_with_answers.pdf
    • https://36535336-4f9e-4c0a-b1ad-3385cb5d4299.filesusr.com/ugd/15ebe2_fba92eeb35694eb7b0b4358d61e1ed15.pdf?index=true
    • https://9462281c-6212-45c1-8f90-c4e3c363a226.filesusr.com/ugd/007d40_398d9976cfa5415f8c023156c966ff9b.pdf?index=true
    • https://s3.amazonaws.com/gazivemon/arcgis_10._5_google_drive.pdf
    • https://s3.amazonaws.com/bupijila/civil_engineering_drawing_books_free.pdf
    • https://s3.amazonaws.com/wazotojemov/12_steps_writing_research_paper.pdf
    • https://s3.amazonaws.com/zagapaxa/38104482248.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb8c.bin
1949657719836e3f2dc359ed5569efcbb21b5d485cc02767c79ca68b4e543305		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB8C 5668 bytes
font_01_sfnt_off0000fecf.bin
acf3ddf3c33f8fb6c32e4cef2cf6f36736c808f18cff6607242d3089b0787e08		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFECF 11768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.