Malicious PDF — malware analysis report

Static analysis result for SHA-256 89ec5a54ca2d19fc…

MALICIOUS

PDF

74.0 KB Created: 2021-06-01 04:36:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-28
MD5: 3ef7b0cf70514a87116416ed4056f1ed SHA-1: 92c6e75bc26eb1a13a1dd648fd20b3c7c09b8f24 SHA-256: 89ec5a54ca2d19fc68615a25f2aad59241ea78062a4fc90283753c5d575c3e35
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a suspicious domain, likely for credential harvesting or malware delivery. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to exploit users through a deceptive document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/pbw?utm_term=here+comes+the+sun+piano+sheet+music+pdf PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/4549b489-ec1b-427f-b639-999d41290667/kimisebomixotuzavi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4416e819-555c-4273-b8fe-67547f126300/kotatisafetox.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa58d9c3-5293-4790-bc74-1ddcf31d1ffa/59566465455.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b6e21add-d9d3-419b-b8c7-3be0f6be90b2/skyrim_how_to_get_mods_on_ps4.pdfIn PDF document text
    • http://ziduzobif.pbworks.com/f/tupud.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f1bb0647-42ea-47cf-a63e-9bcc0d573dcd/83470077037.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2c69311a-547a-4a6a-884b-45304b3a7316/28410332094.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aef35ff1-b591-42a5-babd-361e8eebf3dd/fekixire.pdfIn PDF document text
    • http://paderukut.pbworks.com/w/file/fetch/144440115/76139106095.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/85780dbd-4228-42ed-97a4-f848ebd75bb5/55572275227.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e3327718-6c15-4db2-aa11-6ef7cc5fa65c/drill_master_1_4_trim_router_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4316dadd-2eaf-4e40-8166-a047f0374102/super_mario_bros_3_multiplayer_rom_hack.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/138cbac7-6001-4f6f-a70b-9eed784a3810/kanowiwiwe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b093a876-43b1-4c51-b523-ffb83ca49233/how_to_explain_borderline_personality_disorder_to_a_child.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6d066748-25c4-496d-ba7a-491fc226654b/foxafojilajalajitagajefab.pdfIn PDF document text
    • http://wozixokumo.pbworks.com/w/file/fetch/144434964/jojexalojirejemajat.pdfIn PDF document text
    • http://fevawigo.pbworks.com/f/how_to_reset_tp-link_extender_ac1750.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7c5a0a68-8fdf-4ece-9c35-7c82e212f405/solagaxesogelum.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f0bbdc7-70ab-4df8-88ca-8b3b61f7b143/what_are_the_basic_formulas_in_physics.pdfIn PDF document text
    • http://nilanom.pbworks.com/f/43590226002.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6bff76a3-3c48-4a53-b6f9-a8ee8bbd90ab/3931507580.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/304e198e-0706-4e65-88a0-147ef33f2ecd/relenokazovovitexadaxuti.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc7d6834-544d-4230-a09d-8cdf66bfa20b/debumoliwitofisa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8e365e42-5961-4539-8f84-6e3fe89373c0/does_ucsd_have_spring_admission.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e63c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE63C 5324 bytes
SHA-256: f19029f0cdec23dffc729fdc9b014b3768ad32d12756b9b2e6cb07794a040960
font_01_sfnt_off0000f82b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF82B 10144 bytes
SHA-256: bb54b004d17aad6bb6a11efc4b430aaa3775533def7f5301dc59a8477f24754d

Open this report in the interactive analyzer, or submit your own file for analysis.