Malicious PDF — malware analysis report

Static analysis result for SHA-256 883dd99e37d34d66…

MALICIOUS

PDF

198.9 KB Created: 2021-03-29 03:28:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 09a136034437140b00fbc45d7d636723 SHA-1: 215a6c103a3218c33890ac1258e5ceaf2250d842 SHA-256: 883dd99e37d34d669b791797557ee01342d09ba81d505a88b09a772b3f5641ec
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, suggests a lure related to a book title, which is a common tactic for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9906

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=srimad+bhagavatam+english+pdf
    • http://islemleriniz.org/73018712751qbsk5.pdf
    • https://zejifibesus.weebly.com/uploads/1/3/4/5/134586543/rusejixonugedajawax.pdf
    • http://blacklaser.ru/sazabalimok79wc8.pdf
    • http://123dutch.com/19192550503qya63.pdf
    • http://specrazreshenie.com/jandy_aquapure_error_code_125_and_194e1xpt.pdf
    • https://cdn-cms.f-static.net/uploads/4393635/normal_6058e6bd8e011.pdf
    • https://cdn-cms.f-static.net/uploads/4476927/normal_6045075e1c304.pdf
    • http://xorabawik.medianewsonline.com/the_immortal_life_of_henrietta_lacks_chapter_2_questions_and_answers.pdf
    • http://jakor.pro/light_grey_paint_colors_behr451bo.pdf
    • https://static.s123-cdn-static.com/uploads/4467007/normal_6001802c5727c.pdf
    • http://bomepufibawil.scienceontheweb.net/42641766849.pdf
    • https://cdn-cms.f-static.net/uploads/4482018/normal_60417d221da66.pdf
    • http://extrameets.fun/jusefau8kk.pdf
    • http://weraka.online/herstein_topics_in_algebra_solutions_chapter_2o3wut.pdf
    • http://songkfrk.site/tifafudajumafanobuyck.pdf
    • https://vewevemeza.weebly.com/uploads/1/3/2/7/132741136/8396165.pdf
    • https://cdn-cms.f-static.net/uploads/4501961/normal_603409eedec29.pdf
    • http://idealica-italiaufficiale.website/linksys_ea2700_reset_defaultvihh5.pdf
    • http://fedorahosted.org/lohit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://sefowolo.atwebpages.com/75910508553.pdf
    • http://rijemow.onlinewebshop.net/material_para_aprender_ingles_basico.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0002cb40.bin
025d6141373f148f2523fcfffe1b7eb1587f3f312c19b4a529176b4b00d27e63		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2CB40 22200 bytes
font_00_sfnt_off00027fba.bin
94f27511b2225e0100c9dc8e9affbf9aea2995ffbcb0fab71aa2b71f05449528		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27FBA 5760 bytes
font_01_sfnt_off00029325.bin
4cd60777e265fafd80a6c4ac8a8f541642313e2b1c6670a3899fdf55b12f51bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29325 3772 bytes
font_02_sfnt_off00029eca.bin
cbed23663de4d61e1e4287a3194744807d32608ad23a6fe7579b45c19278d4b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29ECA 14828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.