Malicious PDF — malware analysis report

Static analysis result for SHA-256 86707f2e7e0122aa…

MALICIOUS

PDF

71.1 KB Created: 2021-03-14 09:27:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 041bd7a7670656b7f9941491c81df1e9 SHA-1: 99e48a56102ae3a38f320b0d28d30c8594d1318e SHA-256: 86707f2e7e0122aa0dd13b03296f5dd794dff2b57359e08e4ece52ed405089a4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded external URI pointing to a suspicious domain, likely intended to host a malicious payload or redirect the user to a phishing site. The document body, though heavily obfuscated, suggests a lure related to 'worksheet answers', aligning with phishing or scam tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=mole+to+mole+calculations+worksheet+answers
    • https://cdn.sqhk.co/mudinaxape/NkTxiib/dokasowavuzasiwobekesan.pdf
    • http://begetus11ppz.xyz/suxinufofigegizanazefkl0jy.pdf
    • http://getporte.xyz/repomekejunefegogadck2i.pdf
    • http://tumijosejagag.22web.org/how_to_disassemble_a_dyson.pdf
    • https://cdn.sqhk.co/mifijizudi/gjgaji1/gikijemogoxet.pdf
    • http://baltika-trans.com/binary_numbers_addition_subtraction_multiplication_divisionoquv1.pdf
    • http://vuxokiwi.22web.org/costing_software_sheet_metal.pdf
    • http://stickerrus.ru/4056854050381r4s.pdf
    • http://padaxopawudu.iblogger.org/definition_of_colonial_discourse.pdf
    • http://wugigazugijub.22web.org/collection_book_9th_grade_answers.pdf
    • https://static.s123-cdn-static.com/uploads/4401703/normal_5fc921d961538.pdf
    • https://cdn.sqhk.co/xibidodoko/0heicmc/91585576387.pdf
    • http://roskycnmx.com/why_wont_my_petrol_blower_start2m7ea.pdf
    • https://cdn-cms.f-static.net/uploads/4500665/normal_601ee3b28c5e7.pdf
    • https://cdn.sqhk.co/lepowabog/ChbRgiy/46315782521.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/db7eb2a9-da15-404a-9446-c81b4b18cb35/what_reading_level_is_biscuit.pdf
    • https://uploads.strikinglycdn.com/files/2feb86d2-b78c-4f30-94c0-e992bf36a412/56143181737.pdf
    • http://bewegaxijev.rf.gd/why_do_hops_taste_like_soap.pdf
    • https://uploads.strikinglycdn.com/files/8ce75506-ebb6-41ad-8d78-3390d059b6fa/work_self_assessment_essay_sample.pdf
    • https://uploads.strikinglycdn.com/files/aba31d97-d2ec-44bf-b01a-64d31438c3ed/comparison_chart_of_different_bible_translations.pdf
    • http://wosunitiguzivef.epizy.com/96427120301.pdf
    • https://uploads.strikinglycdn.com/files/f3b3fd8c-5370-4a1d-b00a-cdb3ea55bed8/char_broil_grill_wont_start.pdf
    • http://gepaboveron.epizy.com/solid_state_physics_pillai_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d6fd.bin
8d74d901f54ed85e582e809a113e6e8188370aaca7ee06254267b9666a9fef1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6FD 5200 bytes
font_01_sfnt_off0000e897.bin
89ff5892da93c70496a5ca3f41e35597437fcee3fe39f284a23f4bbe34109814		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE897 10676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.