Malicious PDF — malware analysis report

Static analysis result for SHA-256 864e850430b1087b…

MALICIOUS

PDF

107.4 KB Created: 2021-03-18 18:54:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5447d7cb42b1c891f14eff8e542dab94 SHA-1: 214b6bb09abe069c83030e5417c345199347c856 SHA-256: 864e850430b1087b8f19615661ed15c3d180abaf297fb6af246819ff129c5a65
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, identified by ClamAV as a phishing trojan. The document body, though heavily obfuscated, suggests a lure related to a search query, likely intended to trick the user into visiting the malicious URL. No scripts were extracted, but the presence of external URIs and the ML classifier's high confidence indicate a malicious intent to redirect the user to a phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=bouillon+de+poulet+pour+l+%25C3%25A2me+pdf
    • https://cdn-cms.f-static.net/uploads/4463788/normal_601b04c5bee8e.pdf
    • http://mailedflkf.site/chicco_keyfit_infant_car_seat_weight_limitvw5b0.pdf
    • https://cdn-cms.f-static.net/uploads/4417327/normal_601b27565da8c.pdf
    • https://cdn-cms.f-static.net/uploads/4415783/normal_6020f97c60b49.pdf
    • http://osmosiotzs.fun/eureka_math_grade_4_module_1_worksheetsqynq9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/26f80660-563d-49e5-9d9b-7af2a89e32f1/13684470085.pdf
    • https://s3.amazonaws.com/kagedatabujo/20088632688.pdf
    • https://s3.amazonaws.com/bajuse/hanuman_chalisa_telugu_lyrics.pdf
    • https://s3.amazonaws.com/daniwodug/how_to_find_slope_with_two_points_formula.pdf
    • https://s3.amazonaws.com/jijumupade/squirtle_shiny_form.pdf
    • https://uploads.strikinglycdn.com/files/2b800d87-75a7-4b8e-86f0-dc699cc3abbe/meferoworek.pdf
    • https://05491ccc-77c7-428b-9c25-74f2c6c50d4a.filesusr.com/ugd/d51d36_2118c0aea36d4491a40e68e2fe2bfc04.pdf?index=true
    • https://89511c73-251b-4bee-a1a5-5f4bd4863124.filesusr.com/ugd/f24cb8_1e8c7967f6cc466a931b7abe4066092c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1ecfe6a3-f2ac-42a2-8a3b-34e49fa7072c/piveduko.pdf
    • http://nidemavaguwagev.rf.gd/register_reports_cubecraft.pdf
    • https://uploads.strikinglycdn.com/files/45db0105-4b7c-4570-b25d-cf7692846dae/jump_rope_cardio_calories.pdf
    • http://bimejevitugera.epizy.com/5183546550.pdf
    • https://5548a280-a194-4776-8019-0e256783c1fa.filesusr.com/ugd/f2c1dc_c501a8bc59bc43c194bab559e021105d.pdf?index=true
    • http://roxunir.epizy.com/25708947665.pdf
    • https://s3.amazonaws.com/nunakixuma/samsung_galaxy_s5_mini_talkback.pdf
    • https://6e37e838-c278-4d46-baa9-25b8497af200.filesusr.com/ugd/fbcb80_b5d0d4fe9ce148708d4c742eeafd0542.pdf?index=true
    • https://uploads.strikinglycdn.com/files/11aa6036-95d6-48e9-870d-b14d16fb1eb5/57373319037.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016510.bin
8033a0a97ec23f1bdaecbffee55ab137cb2cc82895b8b2ceefc118f602154721		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16510 5088 bytes
font_01_sfnt_off00017650.bin
d9f801d6e45b4555cb02d6cac6e24942aa1770ff45ae58a7822d8dc7560a725b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17650 12664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.