Malicious PDF — malware analysis report

Static analysis result for SHA-256 79f1667921cf5f2b…

MALICIOUS

PDF

80.5 KB Created: 2021-03-29 13:23:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ec8cffc117f2c92be47292ed7092a5d0 SHA-1: d824f8874a79ac4fbbc296e31ed7ceea93316eef SHA-256: 79f1667921cf5f2b424673804b660da437f63e1dc895af821fc53d28ecdbc804
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that redirects to a suspicious domain, likely serving a malicious payload. ClamAV detection and ML classification strongly indicate malicious intent, consistent with a phishing or malware distribution scheme. The document body, though heavily obfuscated, appears to be a lure related to a book title to entice clicks on the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9957

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=libro+la+casa+de+carton+pdf
    • https://cdn-cms.f-static.net/uploads/4415326/normal_600eafe11de76.pdf
    • http://beautysale.site/vanazudijaropash6h.pdf
    • https://cdn.sqhk.co/wivinapamir/jw0ghhH/luneguvadelago.pdf
    • https://cdn.sqhk.co/xagunetoxa/EE7MRic/woodshop_layout_2_car_garage.pdf
    • http://ryursew.space/betubofaf082wb.pdf
    • http://blancer.xyz/bloodstrike_map_cs_1._6_freejsbjc.pdf
    • http://bodaweziwov.mypressonline.com/arabic_to_urdu_dictionary.pdf
    • http://raifaisentgo.online/nodepigajilafuka2hvnt.pdf
    • http://changepass.online/ukulele_strumming_patterns_4_4d4fg6.pdf
    • https://static.s123-cdn-static.com/uploads/4413118/normal_5ffd98af2e6f3.pdf
    • http://tuvivukaroj.mygamesonline.org/communist_manifesto_definition_world_history.pdf
    • https://cdn-cms.f-static.net/uploads/4473049/normal_60348089c5576.pdf
    • https://cdn.sqhk.co/xeloxilava/cCjjij2/keponunidexabadukuxes.pdf
    • https://static.s123-cdn-static.com/uploads/4489245/normal_6002ed76162ed.pdf
    • https://static.s123-cdn-static.com/uploads/4483856/normal_5fc9b56498115.pdf
    • https://cdn.sqhk.co/lakivasulis/jgeQrgi/neighbors_2014_trailer.pdf
    • https://cdn.sqhk.co/rotusorukazi/RrQFial/retekewadimibozurumaju.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e209d09f-5af8-48a0-acfc-72d03e9bea0d.filesusr.com/ugd/946fcc_4bd1594dcd814f6f89a94e9ec7684b71.pdf?index=true
    • https://e1d5fa5a-667c-4d22-bb72-2ec96b4ed0f7.filesusr.com/ugd/01f30d_417b933c51c94d5b8ed5e507460e104c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e91e31f0-e3f7-423a-97e4-05c1bd0212e3/the_wonder_weeks_leap_4.pdf
    • https://uploads.strikinglycdn.com/files/174b0242-7ec3-4606-9d59-1507ee1d984e/hoover_dual_power_max_belt_fh51001.pdf
    • https://uploads.strikinglycdn.com/files/6bd47198-1522-41eb-ad2c-7faa56fb831e/binomial_theorem_for_expansion_matching_worksheet_answers.pdf
    • https://3c86e5df-9a55-47dd-9d5b-c207b25ec6cd.filesusr.com/ugd/72bf36_ed78ed40715f4baf85da384d95f18e03.pdf?index=true
    • https://9b704b87-3668-414c-a24e-b30400fe0e33.filesusr.com/ugd/51c472_03c09db9cf104f4b87419f33ae13b3a8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/eb26b7c1-b1cf-4c3e-a669-4061490d99db/silhouette_wine_cooler_not_cooling.pdf
    • http://kosezofejesuxef.atwebpages.com/71451870483.pdf
    • https://uploads.strikinglycdn.com/files/f431f32f-f1b6-46bc-8d46-89f5f772bee3/35215372779.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8b5.bin
0b5864ebe9e683cd320df99a4bb3ae0bb67c7f841edb1252b07b9eedf2f71ca6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8B5 5228 bytes
font_01_sfnt_off00010a86.bin
356caf11fecd935cb3fa4948aaa4d20faeb240613b91880ba670a20669239ff8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A86 12248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.