Malicious PDF — malware analysis report

Static analysis result for SHA-256 846a4e9b1de79663…

MALICIOUS

PDF

75.3 KB Created: 2021-03-16 21:08:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fe25e0c822a0ba7d3fc0183ccb4e41c1 SHA-1: 275bc8ac2094e67bc3c5f2a4dc258934ef7d917b SHA-256: 846a4e9b1de79663c1916df9b4055cbd01a86e55bbcae068f957f9bb3b71fe48
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, and it contains an embedded URI pointing to a suspicious domain. The document body, though heavily obfuscated, appears to contain metadata related to PDF generation and potentially misleading text. The presence of external URIs suggests an attempt to redirect the user to a malicious site, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/123?utm_term=nice+guidelines+inguinal+hernia+repair
    • https://cdn.sqhk.co/wuwovodegi/fjbZts4/lagajona.pdf
    • https://cdn-cms.f-static.net/uploads/4366664/normal_5fd6a8410c2c1.pdf
    • https://static.s123-cdn-static.com/uploads/4471706/normal_5ff30078d38b1.pdf
    • http://rutonujak.iblogger.org/seth_thomas_mantle_clock_repair_near_me.pdf
    • https://finuvowevemez.weebly.com/uploads/1/3/5/3/135397693/1189019.pdf
    • https://cdn.sqhk.co/kewawukufiju/ibhjbHv/nike_high_impact_sports_bra_canada.pdf
    • https://cdn-cms.f-static.net/uploads/4499309/normal_600cab3e1669c.pdf
    • https://sumulepali.weebly.com/uploads/1/3/4/8/134882140/zegijupome-buxeda-didabi.pdf
    • http://demubowigipuwi.22web.org/geometric_tools_for_computer_graphics.pdf
    • https://cdn.sqhk.co/rewanizotaj/icFcigP/cute_polar_bear_wallpapers.pdf
    • http://geguxejap.22web.org/newariwabe.pdf
    • https://bowotile.weebly.com/uploads/1/3/4/7/134759747/bewefugelid.pdf
    • https://vamofelew.weebly.com/uploads/1/3/5/3/135398798/labenimegimetum-xumet-tasote-wugimulop.pdf
    • https://jexadafiveti.weebly.com/uploads/1/3/4/7/134765621/c9a9a9c2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://238a82c5-85a8-4641-a991-2f0f5270ddc4.filesusr.com/ugd/63f22d_7d67e6a2de664f4ba626ad75e20f27fc.pdf?index=true
    • https://s3.amazonaws.com/gogonof/tudopowibivetigifibor.pdf
    • https://s3.amazonaws.com/masevewi/leduxekova.pdf
    • http://gulujuwelowox.epizy.com/42495608639.pdf
    • https://s3.amazonaws.com/kexamoxusinixu/98671839318.pdf
    • https://cf176ec6-4820-456b-adf9-61e5f06c968f.filesusr.com/ugd/43d598_9e995bd028c944b5a4fc130a8b60cdd4.pdf?index=true
    • http://toxuxefegetej.rf.gd/fisher_paykel_dishdrawer_maintenance_manual.pdf
    • https://s3.amazonaws.com/jajuzasalikirut/92200230194.pdf
    • https://s3.amazonaws.com/pisik/xatibegonilegub.pdf
    • https://29474179-7c7c-44ae-84e0-3c37792f2e25.filesusr.com/ugd/7f817d_f99eaf1f12e24a5d8bbdfc35f07cce65.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb78.bin
8630a75b97ea5cf602e06db72f090ea6cc8214a09c762f35fceac1955cbeafb0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB78 5304 bytes
font_01_sfnt_off0000fd7d.bin
a782e9e4a9a75c7f17513da34482d130011d50566d8c46ca49fd5e34579f4fde		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD7D 9972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.