Malicious PDF — malware analysis report

Static analysis result for SHA-256 7cca501ba46ec82e…

MALICIOUS

PDF

264.8 KB Created: 2021-03-18 21:19:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 96e7421581f75a9482d3e11f11866e52 SHA-1: 2bc38261711f8a4ed54cc2567135eb3690af2197 SHA-256: 7cca501ba46ec82ec4ecf46e33bd583a7194a5d6da8387eeda08d0fa57e8d09a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that mimics a search result for a book, a common lure for phishing or malware delivery. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were directly extracted, the PDF structure and embedded URI suggest it's designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9909

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/award?keyword=autobiography+of+mahatma+gandhi+in+odia+pdf
    • http://taxokijoba.sportsontheweb.net/shl_logical_reasoning_test_answers.pdf
    • http://mukinumatonewo.getenjoyment.net/samsung_hw-e450_subwoofer_sync.pdf
    • https://cdn.sqhk.co/xawowaguka/9GoJ4gg/pukipawegikobotaxojubute.pdf
    • http://storeeu.info/90124557552jyx7w.pdf
    • https://cdn.sqhk.co/tobipamu/Pshgjdj/rofanotefe.pdf
    • http://mists.space/strategic_management_planning_for_domestic_and_global_competition_14th_edition_ebook0562x.pdf
    • http://klosheff.xyz/fivijubomalizevaxouryoa.pdf
    • https://cdn.sqhk.co/kepilujofeje/fTrJphh/street_racing_car_traffic.pdf
    • http://fastpysystem.online/jump_attack_tim_grover_review7ew78.pdf
    • http://salea.site/what_is_present_perfect_tense_with_examples5atah.pdf
    • http://eroganoficial.site/dirt_devil_canister_vacuum_reviews61v5r.pdf
    • https://cdn.sqhk.co/raxuzuvuluf/iehdhb7/pofobixopo.pdf
    • http://naturaitalia.space/romeo_and_juliet_film_1968_musicsmppd.pdf
    • http://lifegirls.site/othello_game_rules_play669jc.pdf
    • http://hytri.com/73229741029ti247.pdf
    • http://moresukko.ru/451503595393d4sn.pdf
    • http://rimka.xyz/what_is_a_giant_star_astronomyctjdo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.indictrans.org
    • http://fedorahosted.org/lohit
    • https://s3.amazonaws.com/fodose/388344729.pdf
    • http://fowimifefezujo.myartsonline.com/widusujapejetemitesede.pdf
    • https://s3.amazonaws.com/vebogotexaf/75769849026.pdf
    • https://s3.amazonaws.com/tanikanaw/putewepeboj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003b615.bin
906d8e5ab69f57551ccf9fb4f1d49ecded730e02a390900dff5a8845b6983896		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B615 5476 bytes
font_01_sfnt_off0003c892.bin
f21b05a2340b363a1ed8b0bbfc234bf9da5e90c1c639b98be765a2f280f9ba06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C892 5236 bytes
font_02_sfnt_off0003d91f.bin
9eda6f4495e9f790b286633dfdd35a8b83f192e651302f635142db53e2b0b08c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D91F 16296 bytes
font_03_sfnt_off00040998.bin
1e0d5806c011263fead0d0a97ee2ef622c56622b8772aec8198e3c33d023e126		 pdf-font-stream PDF embedded font (sfnt) at offset 0x40998 2688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.