Malicious PDF — malware analysis report

Static analysis result for SHA-256 87cbdd1fa484740d…

MALICIOUS

PDF

214.7 KB Created: 2021-05-30 13:03:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: a18df250eb860b72cfa53a427b974edd SHA-1: e9bb8091c6b230b2c647952f0ddcfbcfe193b3e4 SHA-256: 87cbdd1fa484740ddf05bebae17c38016c6d4b46edcd2948eb2fbad94277e809
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URL points to a suspicious domain, suggesting it's used to host or redirect to malicious content. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing or malware distribution attempt, likely initiated via a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9958

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/123?utm_term=nccn+guidelines+metastatic+gastric+cancer PDF link annotation
    • https://pakoverixofe.weebly.com/uploads/1/3/4/7/134771358/bokoxem-zakiv-vuredit.pdfIn PDF document text
    • https://xojolulodi.weebly.com/uploads/1/3/0/9/130969725/puwuxodixubo.pdfIn PDF document text
    • https://lewefuno.weebly.com/uploads/1/3/4/0/134041273/tetip-rixikotuzuva-lovef.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4479223/normal_600f5807903ad.pdfIn PDF document text
    • https://fivefijoxiwu.weebly.com/uploads/1/3/1/4/131453543/9151675.pdfIn PDF document text
    • https://sesuwulot.weebly.com/uploads/1/3/1/4/131438847/nunozojofowitesoz.pdfIn PDF document text
    • https://subogepaweb.weebly.com/uploads/1/3/2/3/132302814/jabed-vopavuturezebi-fuvumakupirut.pdfIn PDF document text
    • https://jotovaxawunujej.weebly.com/uploads/1/3/1/8/131856347/302ea6b81cbd.pdfIn PDF document text
    • https://povefedonigo.weebly.com/uploads/1/3/1/6/131637150/5936075.pdfIn PDF document text
    • https://tijezelaxupoki.weebly.com/uploads/1/3/5/3/135340387/deteputox-talom.pdfIn PDF document text
    • https://bobujiwa.weebly.com/uploads/1/3/1/0/131070874/a97a7a7.pdfIn PDF document text
    • https://fubagodesipura.weebly.com/uploads/1/3/4/3/134326772/2770844.pdfIn PDF document text
    • https://zedodunojoponex.weebly.com/uploads/1/3/6/0/136083391/4257045.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378621/normal_601d8ad1310c6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4f2215d-6313-4114-a4c9-68c6d8ddd1ba/1174263109.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5d6c2493-d467-45ce-afd9-5d5b120cb571/gegiz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9060b411-5da1-40c6-9674-0115cc3c80c4/how_long_does_baby_leap_last.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2af08881-dcb6-4340-ab74-648a10df65b9/satavugowagewirunuwizipog.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2cb77fed-55d8-4e4b-9bba-9233a67170f1/vaduze.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/06222f0a-fa58-470f-97b3-94867374c986/the_hiding_place_audiobook_chapter_11.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/27fd132e-10f0-45ed-a1b1-21bcfe62c1ff/how_does_firestar_lose_his_lives.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aed47d3b-5d49-4490-9c44-0b9b6a368aae/jigodulidufuke.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00030d7d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x30D7D 5228 bytes
SHA-256: 08d24bd3b2a981b4492bfeba7d78073418625e3ea650c3ea61f2d26a8b47fbb0
font_01_sfnt_off00031f32.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x31F32 14196 bytes
SHA-256: f421dc8e6416e0520ce387d15a1a0aa777e2a466eb9e6450d7fec14de892471c

Open this report in the interactive analyzer, or submit your own file for analysis.