Malicious PDF — malware analysis report

Static analysis result for SHA-256 8cf261abf1b97c1f…

MALICIOUS

PDF

86.7 KB Created: 2021-03-30 13:31:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 29fcf2d368688c7c05142982c367e682 SHA-1: 7c4eae43a6ada489f39289a40bf5f4c91b1afc20 SHA-256: 8cf261abf1b97c1f8fbecb5daefd0f92830ec3160969ede95e88b902d8029b9e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample was detected as a malicious PDF by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of external URIs suggests the document is designed to redirect users to potentially harmful websites. Although no scripts were explicitly extracted, the PDF structure and embedded URIs point towards a phishing or malware distribution attempt, likely initiated via a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=how+does+climate+change+affect+polar+bears+ks2
    • https://kavusataru.weebly.com/uploads/1/3/5/3/135314949/8910334.pdf
    • https://vajasefa.weebly.com/uploads/1/3/4/4/134490273/991079.pdf
    • http://fosipuzo.mypressonline.com/savizazitamexipaje.pdf
    • http://smm-target.ru/jubomupefesobazodorodojay8m5k.pdf
    • https://newavutija.weebly.com/uploads/1/3/1/8/131871734/1562792.pdf
    • https://cdn.sqhk.co/gikokimofegi/gj0ticr/black_library_audiobook_download.pdf
    • https://cdn.sqhk.co/zerurukoraju/ihXnjfv/download_game_woodcraft_survival_island.pdf
    • http://circulshtangcalip.website/40641143442o7wno.pdf
    • http://megoribituvu.iblogger.org/ayatul_kursi_mp4.pdf
    • http://kuvuradivikosef.iblogger.org/mercer_compensation_report.pdf
    • http://socialwave.me/jexoxijazi558r6.pdf
    • http://gexopidikimo.mygamesonline.org/which_book_of_enoch_is_the_best.pdf
    • http://sk-anker.ru/summary_of_marking_period_3_in_speakd4ux6.pdf
    • https://polaposegit.weebly.com/uploads/1/3/4/5/134591324/muvulixu-zofowosidovo-tebalusel-bulojabekuxije.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://wowadepadon.rf.gd/dusijatowenalamekimigebo.pdf
    • http://defakulid.atwebpages.com/wegaluramo.pdf
    • http://lanuseponozowut.rf.gd/ceremony_penguin_classics_deluxe_edition.pdf
    • http://vifebekomese.rf.gd/vosikibavunagukademewa.pdf
    • http://tamupevex.rf.gd/all_star_cheer_uniforms_top_gun.pdf
    • http://wuzatefiroko.epizy.com/14100213132.pdf
    • http://sovizaz.epizy.com/analytical_methods_for_engineers.pdf
    • http://nubibubimalepik.atwebpages.com/certified_ethical_hacker_foundation_guide.pdf
    • http://vemenukesemi.epizy.com/what_is_the_easiest_welder_to_learn.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001062e.bin
aecf22cab2e23a28c8b843658d699d701a11382faad022620a167f0ceaefc273		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1062E 5744 bytes
font_01_sfnt_off0001199e.bin
b9565074dc7b43090f39bf144a391036b43c0b1b62a00f0669ca0b6a01d7ae86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1199E 10932 bytes
font_02_sfnt_off00013efe.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13EFE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.