Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e4f321197fe24c6…

MALICIOUS

PDF

89.6 KB Created: 2021-03-28 00:02:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 218e4dc119c86d345a5a187b66ab45d9 SHA-1: a896b5e0d5b1201bac442247b53a6aea9eda27a8 SHA-256: 8e4f321197fe24c6c26e5385e63efdc96e1e2cbd951b9e81ce1394796b8ed4ad
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that leads to a suspicious domain, identified by heuristics as an external URI and flagged by ML classifiers and ClamAV as malicious. The document body, though heavily obfuscated, suggests an attempt to disguise the malicious content as an educational exercise, likely to trick users into visiting the linked URL. No scripts were extracted, but the presence of the malicious URL and the overall detection by security tools strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=exercice+nombre+rationnel+5eme+pdf
    • https://cdn.sqhk.co/jumibizede/bhevbjf/moto_x3m_pool_party_unblocked_66.pdf
    • https://cdn-cms.f-static.net/uploads/4485166/normal_601a814fb023b.pdf
    • https://cdn.sqhk.co/xisiwuba/jeVTshg/83871485034.pdf
    • http://item-mask.top/worst_sing_christmas_carolsid82p.pdf
    • http://wildber.store/common_interview_questions_for_health_care_assistant9krj9.pdf
    • https://cdn.sqhk.co/xizefonuma/jdWhaL3/plant_monsters_yugioh.pdf
    • http://pikogoxo.iblogger.org/xivifumanod.pdf
    • http://lefuvaguvupawax.iblogger.org/agenda_2018_excel_template.pdf
    • https://cdn-cms.f-static.net/uploads/4456705/normal_6025168b71b71.pdf
    • http://vkysnaya-eda.site/xolulutekaxarigaresej6sr0.pdf
    • https://cdn-cms.f-static.net/uploads/4445742/normal_6048f9e7c77f0.pdf
    • https://cdn.sqhk.co/xujifomevesa/fgcfiab/nevumikokometoj.pdf
    • http://i-men.ru/how_big_is_25_x_30_cm_in_inchesnvt25.pdf
    • http://letxxnx.org/skyrim_compelling_tribute_stormcloak_guider425r.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://c31d65df-273c-4bcc-acfb-7b03b0724b99.filesusr.com/ugd/e7e4a0_a020ea4c9fde4ee6bffcb350efee40f6.pdf?index=true
    • http://wofenexofube.rf.gd/83716828847.pdf
    • https://8641c524-1fb5-4292-87ed-dd72f64d6c22.filesusr.com/ugd/9b7d8a_59284831bc7a494489bc7865c7a83caa.pdf?index=true
    • https://493f174a-a540-412c-bacb-e5b7b26cbfcf.filesusr.com/ugd/95bb70_2cf1ac82d0ac4f3c89892a3f030278c7.pdf?index=true
    • https://c8f6a2ed-bc8a-4fd4-b26a-19707db7c4cd.filesusr.com/ugd/1cc7e8_d6623ce97bf84b14a084e25c1259ca0f.pdf?index=true
    • http://fujatelet.epizy.com/83180712628.pdf
    • http://kivaxobezi.epizy.com/how_to_turn_up_mack_e7_460.pdf
    • https://b9a4c3d6-4ccf-4d04-9b0f-c2e9c357e15d.filesusr.com/ugd/e5cbe5_daf0db10722b4cad8b32b72531093ace.pdf?index=true
    • http://limufewugewo.rf.gd/29175194403.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000118b7.bin
444b435043439979ee20adc2f031757f955c48fe29db30cb0fed9a1f397c6cae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x118B7 5412 bytes
font_01_sfnt_off00012b15.bin
f0beebd256152176ad7e965bbb941282b420fd8c338c00a4e84d0f1f7c6b551f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B15 13948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.