Malicious PDF — malware analysis report

Static analysis result for SHA-256 8061798e8cf50af3…

MALICIOUS

PDF

74.3 KB Created: 2021-04-07 21:30:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2fcb0245b35029bb84e2224a887046db SHA-1: 4e6105befbd24287cc8e3939f16573c6e0aa5463 SHA-256: 8061798e8cf50af37b07af4027ff3ceac9432569868df8a550bca1a7ca7a7703
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that, when visited, likely leads to a phishing or malware download site. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically a phishing lure disguised as educational content. No scripts were extracted, but the presence of an external URI is a primary indicator of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=intro+to+mendelian+genetics+webquest+answers
    • https://bativizamazon.weebly.com/uploads/1/3/4/7/134770744/rekugiloda_rasafe_vagoge_vezeviwililuv.pdf
    • https://cdn-cms.f-static.net/uploads/4390680/normal_6011dcf0265e9.pdf
    • http://zimezobot.getenjoyment.net/la_noche_a_traves_del_espejo.pdf
    • https://static.s123-cdn-static.com/uploads/4446162/normal_6008c02f5a4be.pdf
    • http://bedusopuzal.22web.org/financial_data_yahoo_excel.pdf
    • https://gipudakewisuvu.weebly.com/uploads/1/3/4/6/134665668/rasevefidiv.pdf
    • http://bekopomulasebi.getenjoyment.net/63404444511.pdf
    • http://worelimupuvefam.mywebcommunity.org/dabofedokofusevif.pdf
    • https://cdn-cms.f-static.net/uploads/4418565/normal_5fd9d31f30d55.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fupisetugib.rf.gd/gujubipopipinajux.pdf
    • https://uploads.strikinglycdn.com/files/fbce830e-bb67-485e-b6a4-07327a3e359d/lerif.pdf
    • http://xitimevekotumev.rf.gd/9110669338.pdf
    • https://e8dc5420-792a-4861-90db-09cfc8d8a7d1.filesusr.com/ugd/1378f5_ef37776c616441568e0d7dce7f85cf59.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bfdd8ab0-656c-44d7-80d8-8d8370370af7/how_to_program_my_dish_remote_to_my_soundbar.pdf
    • http://kadizilurojiniz.onlinewebshop.net/38278504089.pdf
    • https://uploads.strikinglycdn.com/files/f0dbf6e5-32c6-4b58-a605-c02312bc9193/does_sodastream_do_tonic_water.pdf
    • https://3c86e5df-9a55-47dd-9d5b-c207b25ec6cd.filesusr.com/ugd/72bf36_830543689137428288dfe082956d1034.pdf?index=true
    • https://uploads.strikinglycdn.com/files/54a898cc-7673-496d-8b16-495d3d20b4fc/best_reading_programs_for_high_school_students.pdf
    • https://uploads.strikinglycdn.com/files/8fc18b2c-d9ac-450f-abbc-51bfb2ac510b/asda_dolls_house_bathroom_furniture.pdf
    • https://76ed6b59-b034-43ac-b949-e1c08f76e3cb.filesusr.com/ugd/ee6100_c43b3c6a5cb94644b746e3423de54158.pdf?index=true
    • http://kubobizezaf.epizy.com/85781467346.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e7ec.bin
8619f07b428c890e0de73fa8e29867c27eac6db4294bbe74da5d17f952ada148		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7EC 5552 bytes
font_01_sfnt_off0000fabc.bin
5c2ae2ce2436b2c8cde95310c770fdab5420a5ed084e1c54229491612a0cc663		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFABC 9676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.