Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d3d6863b6f6e48e…

MALICIOUS

PDF

85.6 KB Created: 2021-03-30 18:35:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3284816a40073db90934dc74e9ab19b0 SHA-1: 6b8213b50ab4f88b94eacb2adf35080afc04fbe5 SHA-256: 7d3d6863b6f6e48e703c2da5a040b8fe857a74d5f0559ff7226664997b92d32f
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains an embedded URL pointing to a resource that appears to be a form or answer sheet. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware delivery. The presence of a 'download button' heuristic further supports a lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=neet+answer+sheet+format+pdf
    • http://mereritijazos.scienceontheweb.net/70703167702.pdf
    • http://tujubafi.getenjoyment.net/cours_orthographe_ce1.pdf
    • http://itclick.pro/tujazilezelonemo2pnbp.pdf
    • http://damewumesigalut.medianewsonline.com/kuzaxiredare.pdf
    • http://vudujupuboneg.22web.org/zilododaru.pdf
    • http://neuroncraft.online/xixetejadirnrdy9.pdf
    • http://rasujipegov.iblogger.org/what_to_give_your_godson.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ac6a5e95-3fab-4d4b-a7e7-0ef4c71e5929.filesusr.com/ugd/32c278_3a03b0c951a84d19bd4bfa1f6635c830.pdf?index=true
    • http://perexuwofogefo.onlinewebshop.net/how_to_offer_prayer.pdf
    • http://fafozega.rf.gd/transplant_guidelines_cmv.pdf
    • http://gepafelixadu.onlinewebshop.net/7538129123.pdf
    • https://s3.amazonaws.com/xukirizugukugi/single_parent_leave_in_the_philippines.pdf
    • http://nejimafalun.onlinewebshop.net/dr_seuss_happy_birthday_to_you_book.pdf
    • https://s3.amazonaws.com/muxozuvalubi/38553352773.pdf
    • http://doriponesarom.myartsonline.com/xowidirisaguzamodarogaj.pdf
    • https://48cc712b-de5e-493e-a198-f8962849e22b.filesusr.com/ugd/d2751c_91c4c490fa4e400f816caef5487ccea9.pdf?index=true
    • https://s3.amazonaws.com/dubiditiginowo/85785336811.pdf
    • https://s3.amazonaws.com/batiku/spotted_lanternfly_reporting_pa.pdf
    • http://forezepolutaju.onlinewebshop.net/electricidad_y_automatismos_elctricos.pdf
    • https://69f1164a-dcd3-4310-9fb4-3b67f03bdbb0.filesusr.com/ugd/9d7282_459cd2905f1f4cd6b66ba26db858ea02.pdf?index=true
    • http://sudexixurijaxoz.atwebpages.com/que_es_el_talmud_de_los_judios.pdf
    • http://xaramoturowuf.rf.gd/bibel_schlachter.pdf
    • https://s3.amazonaws.com/suzixegazunow/apc_back_ups_750_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010edd.bin
8790d5c10f4902f43b23e5eac015ad1455e7a95328be7efde36abc1cd78fb768		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EDD 5308 bytes
font_01_sfnt_off000120d7.bin
87d50911e64706bc6bc26c3c0f574e6dcf42716f5d859763331069979fae6b6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120D7 11424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.