Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d2c557e4f7835fd…

MALICIOUS

PDF

83.5 KB Created: 2021-04-06 16:36:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 92fb652402b02d7fe0d2c5aee6e3cd3e SHA-1: 552f1e4ead4315e5a746766fdd3905280db7e585 SHA-256: 7d2c557e4f7835fd907f76ba1840eb145c2fc582997751c6677eba6e115866b2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified as malicious by ClamAV and an ML classifier. The document body, though heavily obfuscated, suggests a lure related to educational content, likely intended to trick users into visiting the malicious URL. No scripts were extracted, but the presence of external URIs and the ML detection strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=induction+and+deduction+worksheet
    • http://center-about.com/tunabaraxixoxaneh.pdf
    • https://cdn.sqhk.co/satukevaguka/aTMjhhf/adventure_capitalist_ps4_cheats_2020.pdf
    • https://cdn.sqhk.co/toxinize/d9hdib2/riposte_definition_pronunciation.pdf
    • http://mavixepajifulem.scienceontheweb.net/gurilosozifofebodaxomu.pdf
    • https://cdn.sqhk.co/pakebisas/7Qhjtwl/valgame_dios_antonio_orozco_letra.pdf
    • https://cdn.sqhk.co/xekejegixawo/egjihhb/punjab_government_employees_benevolent_fund_application_form.pdf
    • http://arenaprobet.com/318160808764du48.pdf
    • http://pokezokebawi.mygamesonline.org/pamiletipikivani.pdf
    • http://electrumwallet.buzz/planetary_annihilation_titans_mods_steamqkmxe.pdf
    • https://cdn.sqhk.co/tixukiko/gghfKhR/79652659490.pdf
    • http://srakan.space/why_is_ozymandias_a_good_poemukzlk.pdf
    • http://kepuxom.mypressonline.com/assassin_s_creed_origins_guide_book.pdf
    • http://vittorguxx.site/sajugasugexafurewi5ex96.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://3c8d80e7-2998-4b53-b1db-ea2053e4eee2.filesusr.com/ugd/5c8c55_9420742ca1104ecf98b2313bf800b088.pdf?index=true
    • https://uploads.strikinglycdn.com/files/26f85808-dbfc-4cad-ba70-bc117ac5b05e/how_to_overcome_ocd_naturally.pdf
    • http://lufiwivumijej.myartsonline.com/exercicios_analise_combinatoria_com_gabarito.pdf
    • https://247e77cc-5367-4382-8586-7c5891409f42.filesusr.com/ugd/2dbf5a_126cd5bf689c471cbde56ef0a1721912.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dba7a4b0-778c-4226-9c86-39a3cbd264b5/39346382191.pdf
    • https://b27aca93-056c-4dd2-83a6-fd909c9f709d.filesusr.com/ugd/2ba3ac_8e34463560994e868a2ba3d6b790cb69.pdf?index=true
    • https://4a1cfc67-5981-466d-a13b-75576fe7431f.filesusr.com/ugd/64e449_60b4d9dac0e141738d388a9e14d5a0d2.pdf?index=true
    • https://3c45aaf8-24f3-4cde-9773-cf44a0a970d3.filesusr.com/ugd/ae7d54_9386829559324dfaaa68a45c5106b42d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bc117c96-52c8-47ce-ade9-2d015e1e1b67/bipobifaz.pdf
    • https://d896c2b7-539c-4146-aa8a-b39d26e096d8.filesusr.com/ugd/a98ecc_570856bae3a745cbbf54c750834b80e5.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fca9.bin
fbb17b7d361e3c02242346d4d0e41412545db58b783b0e6e8ac8e223f01cce8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCA9 3072 bytes
font_01_sfnt_off000107a3.bin
2c0fd06c7201ce44846cf4ad449df5b8960769deab33467107fafdb1f0aa4458		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107A3 5088 bytes
font_02_sfnt_off000118fd.bin
1efe5e5f30e2bbb724c050a7d4d3e503817736b5745a2bc022cf29717510c4d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x118FD 11468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.